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ABS TRACT 


Several methodologies relevant to the development of a 
Safety program for the Korean Air Force were reviewed. 
Methodologies considered included: 

ie Control charts 

2) System safety analysis 

3) Critical incident technique. 

Data collection methods applicable to accident analysis 
were proposed. 

Recommendations for the incorporation of these methods 
into a safety program for the K.A.F. were developed. 

The safety program described in the current thesis 
possesses the potential for reducing overall operational 
costs and maximizing aircraft availability. The end result 
of such a program can only serve to increase operational 
readiness and thereby maximize overall efficiency and 


Pelttary capability of the K.A.F. 
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I. INTRODUCTION 


Safety is generally recognized as an essential part in 
Overall system operation. According to Lawrence (1976) safety 
can be defined as a judgment of the acceptability of risk. 
"Safety 1s the minimization of injury and loss resulting from 
nondeliberate acts such as accidents and natural calamities" 
(National Safety Council, 1973). 

A function is safe if its risks are judged to be acceptable. 
This definition emphasizes the relativity and judgmental 
nature of the concept of safety. It also implies that two 
very different activities are required for determining how 
Safe things are: 

a. Measuring risk, an objective but probabilistic pursuit. 
b. Judging the acceptability of that risk (juding safety), 
a matter of personal, social and economic value judgment. 

System safety is required to prevent injury and damage 
in system design. Hammer (1972) in his Handbook of System 
and Product Safety suggests that injury or damage can result 
from four fundamental causes or combinations thereof: 

a. material failure. 
b. human error. 
Cc. adverse characteristics of a product. 
d. unusual environmental conditions. 
Recently, personnel concerned with accident prevention 


Nave become more convinced that injury or damage from any 





of those causes can be prevented or lessened through good 
design and planning (Figures 1 and 2). Figure 1 suggests 

a model of the material failure/malfunction accident. The 
approach to the investigation, analysis, and prevention of 
mishaps caused by material failure/malfunction is FIRE 
(material failure/malfunction, system inadequacy, and remedial 
measure). They are defined as follows: 

a. A material failure/malfunction (F) 1S a component or 
system that 1) ceases to operate entirely, 2) operates, 
but not as designed or intended, 3) operates as de- 
Signed, however, operational needs require enhanced 
performance. A material failure/malfunction is con- 
sidered for analysis only when it 1s judged to have 
caused or contributed to the mishap, not resulted 
from the mishap. 

b. A system inadequacy (I) is an element of the aviation 
system that did not operate as intended or designed. 

An I is assigned only when it 1s judged to have 
caused, allowed, or contributed to the occurrence 

of an F. More than one I may be assigned to a given 
Ee. 

c. A remedial measure (RE) iS an action required to correct 
or at least reduce the operational impact of an I. The 
RE may be directed at any command level for implan- 
tation and is not to be restricted by current tech- 
nology or budgetary, personnel, and equipment resources. 
More than one RE may be recommended for a given I. 

Figure 2 presents a functional model of U.S. Army's Air- 
craft Accident to the pilot error accident among human errors. 
Items 1 through 8 are the basic elements of the aviation sys- 
tem. When one or more of these elements is out of tolerance, 
an overload (Item 9) is placed on the pilot's system role 
(Item 10) in that he must continue to perform his normal tasks 


while correcting or adjusting for the abnormal system condi- 


tion. When this exceeds the pilot's ability to cope with it 
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Figure 1. Model of Mishap Caused by Material Failure/ 
Malfunction (G. Dwight Lindsey and William 
R. Brown [1979], Appendix F-3) 
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Figure 2. Model of Accident Involving Pilot Error 
(Ricketson, 1974) 


Or occurs at a critical time, he makes errors (Item 11) in 
his normal tasks and/or in handling the abnormal condition. 
Meet or these errors slip by without causing an accident 
(Item 12). But, when events or circumstances operate un- 
Favorably, theerror leads to an accident (Item 13). 

This approach views pilot error accidents as the result 
of the pilot's system role being overloaded by inadequacies 
of the pilot, other systems elements, or both. Accidents 
describe a point in time to look for system inadequacies. 
This model exemplifies an attempt to approach accident causes 
From a "Systems" standpoint. Research has indicated that 
human error, unlike hardware difficiency, is rarely the sole 


Factor in an accident. The applicability of this functional 
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meget 1S not limited to pilot error accidents. It is a model 
that may be used in any evaluation of a man-machine system. 
The most commonly designated cause of accidents is human 
error. In the past decade, more than 70% of Korean Air Force 
aircraft accidents have been attributed to human error 
eeieerart Accident Data of Korean Air Force, 1980). In acci- 
dents where material failure is recognized, it is often quite 
possible to continue tearing down the equipment until the pre- 
cise portion that failed is isolated and the cause of the 
failure, whether it be corrosion, stress, faulty load con- 
ceptualization, or other factors, can be determined and rede- 
Sign proposed. In case of human error, however, the static 
statement that a human being failed provides no guidance to 
future improvement. The need to reduce human error to its 
basic constituents as a means of obtaining insight into the 
causes of these failures has resulted in various approaches 
to segmenting human behavior for analytical purposes. 
According to Florio and Stafford (1969), when the primary 

factor of an accident is attributed to human error the acci- 
dent cause may be classified into five general areas: 

a. Inadequate knowledge. 

Bee Insufficient skills. 

c. Environmental hazards. 

dad. Improper habits and attitudes. 

e. Unsafe behavior. 


Each of these areas are discussed below: 


is 





Inadequate knowledge. Knowledge is the foundation for 
understanding and the spring-board for the development of 
desirable attitudes toward safe behavior. Ideally every 
individual should learn and appreciate safety rules. Ade- 
quate knowledge is vital if a person is to avoid hazardous 
Situations and react properly in such a situation. Also, 
proper knowledge enables the individual to recognize and 
evaluate dangerous situations (1.e., be aware of tolernace 
limits of the system). 

Insufficient skill. Attempting to perform tasks beyond 
one's ability level creates high-risk situations; thus skill 
level is an important determinant in accident prevention. 
Skills are affected by many things, such as strength, fatigue, 
attitudes, emotion, alcohol, vision, and others. 

Environmental hazards. It is unrealistic to think that we 
can create a perfectly safe environment. Despite our ina- 
bility to control our environment completely, only a small 
percentage of accidents are strictly attributed to environ- 
mental factors. Good engineering practices with good design 
reduce the environmental problems. 

Improper habits and attitudes. Every worker should thoroughly 
understand the development of attitudes and their possible 
modifications. 

Unsafe behavior. Unsafe behavior is the end result of man's 
failure to develop proper habits, attitudes, and knowledge 


concerning safety. Safe behavior entails responding correctly 
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under all circumstances, and avoiding, when possible, high- 
risk situations. There is no excuse for purposely engaing in 
unsafe behavior. 

Accidents are the result of many proximate and casual fac- 
tors. These factors, or variables, interact to creat unsafe 
acts and unsafe conditions, or both, which can terminate in 
an accident causing injury, death, or property damage. An 
unsafe act or condition alone, or in some combination, if 
occurring at the right time may create an accident. 

It iS axiomatic that effective prevention must have a 
focal point of application. This implies that the probable 
cause of future accidents can be predicted. This, in turn, 
implies that the causes of past accidents have been determined. 

The cost of accidents is high. In the past decade from 
1970, the cost of aircraft accidents in the Korean Air Force 
approaches $50 million (not including piloes) [Aircraft 
Accident Data of Korean Air Force, 1980]. As a country that 
has small numbers of aircraft, this represents a tremendous 
cost. In the case of the U.S. Navy/Marines, the total acci- 
dent cost (Figure 3) is greater than the K.A.F. For ulti- 
mate efficiency with maximum operational readiness and minimum 
cost, more detailed accident prevention programs must be 
Followed. Accident prevention is best pursued within the 
framework of a systematic program (Figures 4, 5, 6). 

Figure 4 represents a model of the factors that may be 


involved in carrying out a system safety program. Minor 
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Figure 5. An Optimal Level of Safety Performance 
eicdtotaraleenginecring, Jan. 1976, p. 20) 
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Figure 6. Safety Improvement Flow Chart 


(Industrial Engineering, March 
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differences will exist in actual practice because of the 
different organizational structures. However, the model 
indicates broadly the process that takes place. 

A safety program, regardless of its characteristics or 
meet, aces cost money and require time. It 1s generally 
accepted that as the level of safety performance increases, 
the better will be the chances for reducing hazards, and 
consequently, the frequency as well as severity of accidents. 
Beyond a certain performance level, however, the expected 
reduction in hazards starts to taper off and will not be of 
appreciative magnitude to offset the cost associated with 
high levels of safety activities. This is explained well 
mmaerigure 5. 

Figure 6 as presented in the overall safety improvement 
effort through the accidents reduction approach, includes the 
following basic steps. 

a. Field data assembly. 

In this step operating data are gathered on the system 
to be analyzed to: acquaint the analyst with system opera- 
ting methods, procedures and equipment; and obtain operating 
data in the form of methods and time data for system operations. 
In addition, accident data are gathered to provide a basis 
for identifying accident problem areas and determining poten- 
tial accident cost savings. 

b. System definition. 
Flow charting. Functional flow charts should be developed 


to define the system. The charts serve as a guide for project 
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members, put them on the same level of thinking, and allow 
standard methods and procedure references that all understand. 

The charts should have a numbering system by function 
to permit coding of accident data. The codes allow quick 
reference to what work function was being performed when an 
accident occurred, and are a means for computerized accident 
information storage and retrieval. 

Accident data. All accident data gathered are defined/ 
coded by work function and hazards or causes assigned to 
accidents. Hazards definition is needed to indicate equip- 
ment and system shortcomings with regard to safety. 

c. Identifying problem areas. 

Once hazards and safe data have been gathered, they 
must then be examined for safety problem areas. The problem 
areas should be defined so that concepts may be readily 
developed. 

d. Concept development. 

Once safety problems have been defined, the next step 
is to develop concepts that will eliminate or protect against 
nazards and, as a result, reduce accidents. 

e. Safety evaluation. 

The effects on safety are determined by using the hazards 
exposure data and estimating the reduction in hazards exposure 
for all functions attributable to a new concept. The hazards 
exposure reduction is an engineering estimate made by com- 
paring current machines/systems with those proposed, and 


noting by work function where hazards exposures have been 


Zu 





increased or decreased and by how much. The reduction ex- 
Meeted in accidents 1S proportional to the reduction in the 
hazard exposure. 

f. Recommendations. 

The last step is to consider evaluation results for con- 
cepts and alternatives and make a decision for further study, 
or choose the most attractive alternatives for design 
development. 

There are certain fundamental concepts and methods that, 
if properly applied, can increase the probability of success. 
Accident prevention 1S a composite of many related functions, 
each of which must be given proper weight to assure a balanced 
and productive program. It may be considered a closed-loop 
system (Figure 7) comprising many feedback loops in which 
information 1s collected by the responsible agency, 1S appro- 
priately processed, is systematically analyzed, and then is 
disseminated to those in a position to make use of the infor- 
mation. The results of this dissemination are reevaluated in 
the light of future accidents. 

To put safety in its proper perspective, it must be first 
realized that safety and efficiency are products of each 
other. That is, the safe establishment is efficient. With 
this in mind, safety then becomes a management problem and 
not just the concern of the foreman or the supervisor. 

Petersen (1978) suggests five basic principles of a safety 


management program. These are: 


Lie 








FIX PREACCIDENT PLAN 


RECOMMENDATIONS ACCIDENT 


DISSEMINATE INVESTIGATE 


ANALYZE REPORT 


CLOSED LOOP FEEDBACK SYSTEM 


Figure 7. Organizational Approach to Safety 
(Zeller, 1978) 


a. An unsafe act, an unsafe condition, and an accident 
are all symptoms of failure in the management system. 

bee Certain circumstances are predictive of severity of 
accidents. 

c. Safety should be managed like any other operational 
fume tion. 

d. An effective safety program will provide establishment 
of responsibility and accountability. 

peeeeime function of safety is to locate and define the 
operational errors that allow accidents to occur. 
This function can be carried out in two ways: 1) by 
asking why accidents happen--searching for their root 
causes--and 2) by asking whether certain known effec- 


tive controls are being utilized. 
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Now comes the problem of safety measurement. W. Tarrants 
(1979) discussed this problem as the problem that has existed 
Since the very beginning of organized attempts to control 
accidents and their consequences. In its most elementary 
form, measurement has been defined as "the process of assign- 
ing numerals to objects according to rules" (Stevens, 1951). 
When we apply this definition in the safety field, we are 
quickly confronted with problems concerning what "objects" to 
measure and what "rules" to follow. 

The progress and maturity of a science or technology are 
often judged by whatever success has been achieved in the use 
of measures. Measurement, perhaps more than any other single 
aspect, has been the principle stimulus of progress in all 
professional fields. MeaSurement is the backbone of any 
scientific approach to problem definition and solution. With- 
Out adequate measurement in the safety field we can not des- 
cribe the safety state of our operations or determine whether 
or not our safety programs are really accomplishing anything. 
Sound meaSurement is an absolute prerequisite for control and 
both are necessary for prediction. 

The present thesis effort will 1) perform a literature 
Survey of the techniques to measure safety which are applica- 
ble to measurement of flight safety, 2) emphasize the importance 
of accident data collection for analyzing them, 3) refer to 
K.A.F. accident data currently collected whether they are 


applicable or not to measure flight safety, and finally 
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suggest methodology to collect data for applying each 
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Peo bteRnoURE SURVEY 


It has become apparent that there are many problems asso- 
ciated with defining a universal criterion for safety measure- 
ment and assessment. One of the chief concerns with the 
conventional standards is the emphasis on accident data. 

Many now recognize that this 1S more a reaction to existing 
problems than action toward prevention or control of future 
problems. Although experience can be a valuable teacher, 
accident experience points to needless loss, and too often 
doesn't give sufficient information for prevention. 

Personal values present another problem in safety measure- 
ment and assessment. Safety attitudes are strongly dependent 
on the personal values of workers, line management, and 
corporate management; effective safety measurement techniques 
must be capable of addressing this behavioral aspect. 

Applying statistical methods to the population of events 
related to accidents is another problem area. Predictions 
based on statistical analyses of accident data have been 
described as unreliable due to the combination of variables, 
rare events and small sample sizes. Often, attempts are 
made to by-pass this obstacle by combining nonsimilar events 
into a larger population universe. 

Among the methods used for safety measurement are included 
statistical quality control techniques, system safety analysis 


techniques, critical incident technique, learning curve, 
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frequency and severity rate, safety sampling, double average 
comparison technique. Here the author will describe the 


methods which are applicable to flight safety measurement. 


A. CONTROL CHARTS 

Greenberg (1971) suggests that the techniques of statis- 
tical quality control are ready-made tools for safety analy- 
Sis because the safety professional has common problems with 
the quality inspector: both would like to be everywhere 
Simultaneously to detect changes; and both have to apply some 
practical, effective approaches to their problems. Control 
charts are used for this purpose. According to Brown (1976), 
a control chart is a visual means by which an analyst judges 
whether a process iS in control or not. The measurement 
plotted on the chart are those of any random variable. Hence 
the frequency and severity of accidents, as well as any other 
intermediate indicator of hazards, could be plotted. Judgments 
based upon these plots determine if the process is in control 
with respect to the random variable under consideration. 

Peagure 8 Shows the typical layout of a control chart. 
The units of the random variable are given on the vertical 
scale, indicating that the height of the plotted point repre- 
sents the value of the random variable for the indicated 
time period. The time scale, given by horizontal line 
Shows when the value occurred. 

Measurement of central tendency and spread define the 


expected concentration and range of the variable. Thus, if 
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the variable behaves in a nonrandom way, we can conclude that 
an outside influence is affecting the random variable. The 
common way of identifying when this occurs is through the 

use Of an upper and a lower control limit. These are generally 
placed at equal distances above and below the mean line. 

The measured values as they are recorded in time are 
plotted as indicated in Figure 8. A point falling above or 
below the control limits, respectively, is indicative of an 
out-of-control situation, and assignable causes are generally 
sought. There are other indications of out-of-control situa- 
tions, also. However, prior to discussing these, the means 
mero btalning the control limits will be given. 

The procedures for setting control limits are essentially 
the same as those for setting the acceptance limits in a test 
of hypothesis. The first step involves the establishment of 
Significance level a, that is, the probability of concluding 
Pree the process is out of control when in fact it is in con- 
trol. If methods of identifying causes are expensive and 
maeevariable is not critical, a low probability can be tolerated. 
HOwever, if an early indication of lack of control is necessary, 
then a high probability of this error should be specified. 

Once the value of a is determined, the next question involves 
the definition of control. Quite often the state "out of con- 
meek Occurs in one direction only, that is, upper control 
limit would be required as it would in most cases of pollution 
measurements (Figure 9). Other monitoring of processes would 


require both an upper and a lower control limit. 
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Figure 9. Sample of a Safety Control Chart Used in 
Statistics Approach to Safety Evaluation 
Vincuictrtal Engineering, Dec. 1975, p. 20) 


In either case, the value of a chosen will represent the 
feed! area Of probability in the out-of-control portion of 
the chart. The upper and lower control limits are obtained 
depending upon the random variable, its distribution, and 
the value of a chosen. 

Brown (1976) suggests in the following example that the 
frequency of accidents of a plant has a normal distribution 


with a mean of 6 and a standard deviation of 1.5. Frequencies 
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memetene first 6 months have been 4, 7, 5, 12, 8, and 6. Set 
Gemeimonthiy control chart for frequency. Allow for a .05 
See@meability of calling a point out of control when it is not. 
Mmimeiis example “out of control” is strictly in terms of 
an upper limit. However, the analyst chooses to set up a 
lower limit to provide possible evidence of a lowering of the 
accident frequency. Thus the .05 probability will be divided, 
.025 above the upper limit and .025 below the lower limit. 


The upper limit becomes 


Leyes. x + O 


way. x 
= 6 + 1.96(1.5) = 8.94 
and the lower limit is 
L.L. = Xo Z 925 = 
——emome |. 960(1.5) = 3.06 
where 
a <== (which "standardizes" any normally 


distributed random variable) 
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faemcentrol chart is given in Figure 10. The fourth month 
was obviously out of control, and assignable causes should be 
sought. In this example the assumption of normality should 


Bemeeested Since it does not hold generally. 
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Figure 10. Control Chart for Example Described in 
Tee | BDEOwn el 976). Pp -a231) 


Per construction of the chart 1s simply a matter of apply- 
ing hypothesis testing on a continuous basis. The primary 
advantage is that continuous visual perception of the random 
variable is maintained. This continuous picture enables the 
analyst to make judgments not otherwise discernible. This 
is not limited to the upper and lower control limits demon- 
strated above. Other factors that the analyst can use as 


indicators of abnormal operational behavior include: 
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a. Several points (four or more) in a row on one side 
of the mean line. The probability of four consecutive points 
on one side is approximately Se, Oree0.6i25.. 

Memelacntitiable cycles. Here two or three years of history 
May be required to identify a given month or other period 
of time when the operation acts in an irregular manner. 

c. Several points in a row, either monotonically increasing 
or decreasing away from the mean line. The probability of 
this type of trend is difficult to establish. However, since 
these points are all on one side of the mean line, the proba- 
bility will be considerably less than oe where n is the 
number of points exhibiting this characteristic. 

Paegquality—-control situations, 30 control limits are 
generally used, based on the 1l~in-1000 value of a under the 
normal distribution assumption. The 20 and lo lines may also 
be set up, however, to help the analyst identify other out- 
Seecontrol indicators. For example, two points in a row 
outside of 20 limits would have an approximate probability 
of mas)“ = .000625, which is about the same as the probability 
of one point outside 30 limits, asSuming normality. Although 
control charts for safety applications should not be restricted 


to the a = .001 value, the concept of intermediate lines to 


identify irregularities is a good one. 


Eee oYOlTEMS SAFETY ANALYSIS 
To understand the systems safety analysis we should first 


have a clear picture of what a system is. Worick (1975) 
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defines a system as an orderly arrangement of components which 
are interrelated and which act and interact to perform some 
Petsee Or CUNnction in a particular environment. The main points 
to keep in mind are that a system is defined in terms of a 
task or function, and that the components of a system are 
interrelated, that is, each part affects the others. The 
task or function which a system performs may be simple or 
complex. Sometimes it iS convenient to break up a complex 
task into Simpler tasks and consider subsystems of the larger 
system. Subsystems consist of part of the components of the 
overall system and perform a portion of the overall task 
(Figure 11). The components of a system can cover a wide 
range including machines, tools, material, environmental fac- 
tors, people, documents (such as operating instructions, 
training manuals, or computer programs), and so on. As part 
of a system, the components usually complement each other 
but it is essential to recognize that a failure or malfunction 
of any component can affect the other components and thus 
degrade the performance of the task. 
The sequential steps required in all system analyses 

(Figure 12) are: 

a. Recognition that a problem exists and that the solution 
may be amenable to systems analysis techniques. 

Pee Definition of that problem in an appropriate form, 
including a definition of objectives, requirements, and con- 
straints of times, resources, operational environment, social 


Beeeptability, etc. 
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c. Definition of system itselft in terms of its hierarchi- 
cal level, boundaries, interfaces, environments, functions, 
and constituent subsystems and their interactions, usually 
expressed in input/throughput/output terms. This iterative 
process begins with gross approximations and works toward 
minute preciseness, involving test and modification of the 
Original concept. The result should be a conceptual model 
amenable to quantitative analysis. 

d. Definition of performance criteria for the system as 
a whole, for the various levels of organization, and for the 
Semoimation of its constituents. 

peeeebefinition of alternative configurations and their 
evaluation in terms of costs, effectiveness, state of develop- 
ment, environmental constraints, etc. 

f. Presentation of alternatives and tradeoff results 
to the user. A number of choices should be presented in 
order of preference. 

g. Performance of ongoing, iterative engineering and human 
factors analyses during systems development. 

h. Analyses of operational systems to gether basic per- 
formance data. 

The importance of these preliminary steps cannot be over- 
emphasized. As in any research, the analyst himself may 
introduce bias in the form of poor problem formulation, not 
understanding the system, or in not understanding the true 
role of analysis. In some cases, it may not be known until 


the system is complete whether the problem was defined correctly. 
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There are several methods which are used for the systems 
analysis techniques, but the author will describe here the 
Fault tree and cost-effective analysis. 

Pe cault Tree Analysis 

Fault Tree Analysis (FTA) was developed mainly by 
engineers who studied engineering systems in great detail, 
with little or no contribution by mathematicians. A possible 
explanation given by R.E. Barlow (1975), J.B. Fussell (1975) 
and N.D. Singpurwalla (1975) is the fact that the construc- 
tion of the fault tree, a basic step in fault tree analysis, 
requires an intimate knowledge of the manner in which a sys- 
tem is designed and operated. The mathematician's lack of 
familiarity with the operation of systems, and perhaps their 
preoccupation with mathematically well-defined problems, has 
deterred their interest in fault tree analysis. 

Brown (1976) developed Fault Tree and cost/benefit analy- 
Sis for choosing optimal safety alternatives. Brown shows 
how negative utility amounts can be assigned to all possible 
head events and the relevant possibilities multiplied by the 
negative utilities. The results, which are expected negative 
utility amounts, are called "measures of criticality". 

Reductions in negative expected utility or criticality 
are considered to be quantitative expressions of benefits or 
effectiveness, and these are then related to costs to find 
the optimal combination of safety alternatives for the deci- 


Sion maker's cost-benefit trade-off function. 
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Using Brown's methodology the safety manager should 
first utilize the fault-tree analysis technique as a logical 
approach to identify the areas in a system that are most 
merctecal to safe operation. 

According to R.E. Barlow (1975) and H.E. Lambert 
(1975), FTA is one of the principle methods of systems safety 
analysis. FTA evolved in the aerospace industry in the early 
1960's. It was the result of a contract between the Air Force 
Ballistics Systems Division and Bell Telephone Laboratories 
for the study of inadvertent launch in the Minuteman ICBM 
(Delong, 1970). After initial work at Bell Telephone Labora- 
tories, development of fault tree continued at the Boeing 
Company, where scientists devoted much effort to develop its 
procedures farther and became its foremost proponents. The 
principle of Boolean algebra (Appendix A) is applied for FTA. 

Rogers (1971) has referred to the following six steps 
that were used in applying the technique to the Minuteman 
Eeogqram: 

1. Define the undesired event. 
2. Acquire complete understanding of the system. 
3. Construct the fault tree diagram. 
4. Collect quantitative data. 
5. Evaluate fault tree probability. 
6. Analyze computer results. 
Undesired events requiring FTA are identified either 


by inductive analysis, such as a preliminary hazard analysis, 
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or by intuition. These events are usually undesired system 
States that can occur as a result of subsystem functional 
faults. 

FTA is a detailed deductive analysis that usually 
requires considerable system information. It can be a valua- 
ble design tool. It can identify potential accidents ina 
system design and can help to eliminate costly design changes 
and retrofits. FTA can also be a diagnostic tool. It can 
predict the most likely causes of system failure in the event 
of a system breakdown. 

A major difficulty with quantitative fault tree 
evaluation is the lack of pertinent failure rate data. Even 
in cases where the data are goodk it is not clear that we can 
justify one system environment, data that were obtained ina 
different system environment. Nevertheless, quantitative 
evaluations are particularly valuable for comparing systems 
designs that have similar components. The results are not as 
sensitive to failure rate data as in an absolute determina- 
tion of the system failure probability. 

The goal of fault tree construction is to model the 
system conditions that can result in the undesired event. 

One of the advantages of manual fault tree construction is 
that it forces the analyst to understand the system thoroughly. 
Before the construction of a fault tree can proceed, the 
analyst must acquire a thorough understanding of the system. 


In fact, a system description should be part of the analysis 
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documentation. The analyst must carefully define the un- 
Berea Event under consideration, called the ‘top or head 
event’. 
a. Event Description 

A fault tree 1s a model that graphically and 
logically represents the various combinations of possible 
events, both fault and normal, occurring in a system that 
meas tO the top event. The term, event, denotes a dynamic 
change of state that occurs to a system element. System ele- 
ments include hardware, software, human and environmental 
factors. 

b. Event Symbols 

The symbols shown in Figure 13 represent specific 
types of fault and normal events in FTA. The rectangle defines 
an event that is the output of a logic gate and is dependent 
on the type of logic gate and the inputs to the gate. The 
Circle defines a basic inherent failure of a system element 
when operated within its design specifications. It is there- 
fore a primary failure, and is also referred to as a generic 
failure. The diamond represents a failure, other than a pri- 
Mary failure that is purposely not developed further. The 
Switch event represents an event that is expected to occur 
or to never occur because of design and normal conditions, 
such as a phase change in a system. The conditional input 
may be applied to any gate and describes a condition which 


must be present to produce the output. For example, an 
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Figure 13. Event Symbols Used in Fault Tree Analysis 
(Brown, DeBeew [1976], p. LS58eand Rodgers, 
Weel 971), ps 41) 
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Mieeer sequence of the inputs to an AND GATE may be described 
as a condition input. The triangles are used as transfer 
symbols. A line from the apex indicates a transfer in, and 
a line from the side shows a transfer out. 
c. Logic Gates 

The fundamental logic gates for fault tree con- 
Struction are the OR and the AND gates. The OR gate des- 
cribes a situation where the output event will exist if one 
Or more of the input events exist. The END gate describes 
the logical operation that requires the coexistence of all 
input events to produce the output event. the INHIBIT GATE 
describes the relationship between one fault and another. 
The input event causes the output event if the indicated con- 
dition is satisfied. If the condition involves a specific 
failure mode, it is represented by an oval. It is shown in 
a rectangle if the condition described is one that may exist 
anytime during the life of the system. The symbols for the 
logic gates are shown in Figure 14. 

d. Construction Methodology 

The fault tree is so structured that the sequences 
of events that lead to the undesired events are shown below 
the top event and are logically related to the undesired 
event by logical gates. The input events to each logic gate 
that are also outputs of other logic gates at a lower level 
are shown as rectangles. These events are developed further 


until the sequences of events lead to basic causes of interest, 
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Figure 14. Symbols for Logic Gates Used in Fault Tree 
Analysis (Rodgets, W.P. [1971], p. 40) 
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called “basic events". The basic events appear as circles 
and diamonds on the bottom of the fault tree and represent 
the limit of resolution of the fault tree. The structuring 
process is used to develop fault tree flows in a fault tree 
(Figure 15) when a system is examined on a functional basis, 
that is, when failures of system elements are considered. 
At this level, schematics, piping diagrams, process flow 
Sheets, etc., are examined for cause and effect types of 
relationships to determine the subsystem and component fault 
states that can contribute to the occurrence of the undesired 
Pent. 
e. Purpose of Fault Tree Construction 

The fault tree, once constructed, serves aS an 
aid in determining the possible causes of an accident. When 
properly used, the fault tree often leads to discovery of 
failure combinations which otherwise might not have been 
recognized as causes of the event being analyzed. The fault 
tree can be used as a visual tool in communicating and supporting 
decisions based on the analysis, such as determining the ade- 
quacy of a system design. The fault tree provides a convenient 
and efficient format helpful for either qualitative or quanti- 
tative evaluation of the fault tree, such as determination 
of the probability of the occurrence of the top event. 

Mmeevaluation of the Fault Tree 
An objective of fault tree evaluation is to deter- 


Mine if there is an acceptable level of safety in the proposed 
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system design, 1.e., will the proposed design suitably mini- 
mize the probability of the occurrence of the top event. 
If the system design is found inadequate, then the design is 
upgraded by first identifying critical events (such as com- 
ponent failures) that significantly contribute to the top 
event. Cost constraints, contractual requirements, and other 
factors limit the design changes that can be made. Therefore, 
trade-off studies are necessary to determine what changes will 
be incorporated to reduce the effect of the critical events. 
When all design changes are made, the fault tree is re- 
evaluated to determine if the revised design provides an 
acceptable level of safety and/or reliability. 

According to Brown (1976) the purpose of developing 
a fault tree and quantifying it is to effectively allocate 
the safety budget. To do this, the various alternative safety 
investments are considered in light of their effect upon the 
fault tree and the resulting head event. A measure of cost/ 
benefit is then determined for use in decision making. Before 
completing the presentation of Brown's methodology some ter- 
minology as given by Brown will be introduced. 

ae COSt 

Cost is defined as the dollar outlay to pay for 
the incorporation of a device, method, procedure and so on 
(henceforth called a countermeasure) into the industrial sys- 
Bem £Or a given unit period of exposure. Thus the cost of 
devices that must be periodically recharged and/or replaced 


is based on average costs for a given unit (e.g., a million 
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man-hours (mmh) exposure period). Permanent fixtures, such 
as machine guards, can be prorated on the basis of the life 
of the machine. The cost of educational programs can be 
prorated, based upon their frequency. All countermeasures 
must, for comparison purposes, have a common denominator. 
h. Benefit 

Benefit is the negative utility reduction. 
Measure of benefit is the expected negative utility. There 
1s a negative utility (or cost in terms of dollars and personal 
well-being) associated with accidents. This negative utility 
depends upon the severity of the accident. 

The expected negative utility of the head event 


if it occurs can now be calculated by the following: 


N 
BS) Jats 
a ss 
where: 
aoe JER 
P. = the probability of occurrence of the 1 
e severity class given that the head event 
OCCUES, 
N = the number of severity classes, 
U, = the negative utility associated with the 


i®. severity class. 


An alternative method for calculating E would be 
more appropriate if the values of negative utility from a 
large number of past occurrences of the head event were 


measured directly. Thus the expected negative utility 
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associated with the head event would be obtained from the 


arithmetic mean of these measurements: 





Both equations above are equivalent under the 
conditions that there are n severity classes (N = n) and that 
the probability of each severity class is equivalent (P. = =) , 
This occurs when each accident is considered as a unique 
situation. 

1. Cost/Benefit 

This term is a vague term used in describing a 
variety of applications. Here it is defined as the dollars 
Spent per negative utility reduction. 

fee criticality 

A system is defined as critical if there is any 
failure that will degrade the system beyond acceptable limits 
and create a safety hazard. An absolute measure of criticality 


associated with the head event can be obtained as 


Cw P=: 
where: 
C = the expected negative utility associated with 
the head event in the given time or production 
Wc 
P = the head event probability (in occurrence/mmh). 
E = the expected negative utility (in dollars/ 


occurrence or workday/occurrence etc.). 
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k. Determination of Head-Event Probability 
The value of P can be obtained assuming that a 
proper unit of time or production has been determined to 


adequately define one trial. 


a 


y 
u 


P — 


where: 


N = the number of occurrences of the head event 
in the trials given by the chosen time or 
Proauetieon Unit. 

An alternative way to determine P is by using the 

fault tree end branch probabilities. This is necessary if 

the effect of alternative countermeasures is to be determined. 

In the OR situation, any of the events will cause 
the subsequent event to occur and, therefore, assuming inde- 


pendence, the probability of occurrence of the subsequent 


event is given by 


n 
Po i ie a TT (1 - q.) 
i=1 
where: 
ee ele 
qs = the probability of the 1 causal event. 
n = the number of parallel branches. 


In the AND situation, all the events must occur 


for the subsequent event to occur and, therefore, assuming 
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independence, the probability of occurrence of the subsequent 


event is given by 


Through a reiterative process the probability of 
the head event can be determined from a knowledge of the 
probabilities of the branch events. This is the value of P 
which was given in the equation C = PE. A system modifica- 
tion will produce a change in this value of expected negative 
utility, thus providing the measure of benefit. 

Brown (1976) gives various examples to demonstrate 
the entire procedure. 

2. Example 

Figure 16 is an example fault tree for developing 
the head event "Chip in Eye (Grinding)". This particular fault 
tree is to analyze the specific type of eye injury that might 
be caused by the grinding operation. Those who might have 
this accident fall into two mutually exclusive and all- 
encompassing categories: (1) operators and (2) nonoperators. 
Further, assume that the accident will not occur if adequate 
eye protection is worn. Therefore, the two events shown illus- 
trate the first breakdown. The event "Operator Fails to Wear 
Safety Glasses" has an abbreviated label which, if spelled out 
in detail, would read "Operator Fails to Wear Safety Glasses 


and Is Injured by Chip in Eye." 
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Figure 16. Fault Tree Illustrated 
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The AND relationship asks the question: "What must 
happen?" not "What could happen?" Four things must occur in 
Seger <Or the nonoperator to be injured in this way. These 
four are listed appropriately under the AND gate. 

The event "Motive to Go into Area" analyzed into the 
specific reasons. This eventis used under OR gate here. 

In Figure 17 the probabilities of occurrence are given 
for the end branch events for any million-man-hour period. 
Suppose that records show that in the past there have been 
meeaccacents of this type, of which 7 were First Aid, 2 were 
Temporary Total (man had to leave job), and one resulted in 
a Permanent Partial (caused permanent eye damage). An example 


of negativue utility schedule is given in Table I. 


Table I 


An Example of Negative Utility 


Severity Negative 
Classification Severit Ut baste 


_— Permanent Partial 


Permanent Total 
(including fatalities) 


The value of negative utility need not be a dollar figure 
if other intangibles, such as social costs, are to be 
considered. For this example, however, First Aid was 
a dollar value per case estimated. All other figures 
are average costs per case given by the National 
Safety Council, ‘Accident Facts', 1971. 
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P = Probability of A = 00522 Expected Negative Utility 
b= Severity of A = 333 =(P)°(E) 
= 17.38 
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Fault Tree Illustrated the Probabilities 


Figure 17. 
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Biemexpected negative utility of this accident is: 


Se covet .2(oe5)) + .1 (2500) = 333 


The probability of the OR gate given last: 


e eee eee Ono) (le. 5) (le .01) = 1 = .8935 


Oe 
The probability of the AND gate is: 
7 = (eee. O0ce)(1)(.5)> = .0426 


The probability of the head event is: 


Peo — 01) (= .0426) = 1 - (.99) (.9574) 


We 2 2 


This is the probability of occurrence of the head event, in 
any million manhours of exposure. 


The criticality associated with the head event is: 


eee ee Fe — e522) 0353) = 17.38 


This example will be pursued a bit further to deter- 
mine how modifications on the fault tree are handled. If 
money 1S spent to improve the safety of this system, one or 
more of the basic event probabilities in the fault tree should 
be reduced or else the expected severity should be reduced. 

If not, either the expenditure should not be made, or else 


the fault tree is incorrect. A reduction in the basic event 
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probabilities will always reduce the probability of the head 
heme, F, and therefore it will also reduce the criticality, 
Memon the event. The amount by which the criticality is 
reduced will provide a measure of benefit for the change that 
was made. Hence a measure of benefit can be estimated for any 
safety investment. 

Consider three proposed countermeasures to reduce the 
probability of the head event "Grinding Chip in Eye" originally 
presented in Figure 16. Assume the three alternatives were 


given as in Table II. 


Table II 


Three Proposed Countermeasures and Associated Cost 


Alternative Description Prorated Poerecr 
ost/mmh 
1 


Ensure that opera-| $25 Reduce proba- 





tor stops opera- Ola Gyo 
tion whenever event G to 
anyone enters area nO 
Z Move storage o> Reduce proba- 
area away from Digi ty cevenits 
grinding area Hoand =) co 
zero 
3 Bote le ania 2 530 Same effects 
as both l 
and 2 


Let's calculate the probability of head event, criticality, 


Savings, and cost/benefit. 
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Alternative l 


ee Oa) Pometos) (.1065) (1.0) (0.05) 
eo. 35507 = 0.0142 

feo’ & = (0.0142) (333) = 4.73 

peavings = 17.38 - 4.73 = 12.65 

Cost/Benefit = 25/12.65 = 1.98 


Alternative 2 


ee ee Omer — (078) (1 — (1-0) (1-0) (1-0 .01) ) (120) (0.5) ) 
= l]- 0.986 = 0.014 

@ee=- (0.014) (333) = 4.66 

Savings = 17.38 - 4.66 = 12.72 

Sost/Benefit = 15/12.72 = 1.18 

Alternative 3 

eee 1-001) (1 = (0.8) (1 = (1-0) (1-0) (1-0.01)) (1.0) (0.05) ) 
= 1- 0.9896 = 0.0104 

ee = (0.0104) (333) = 3.46 

Savings = 17.38 - 3.46 = 13.92 

Cost/Benefit = 30/13.92 = 2.16. 
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Summary for alternatives are shown in Table III. 


Table III 


Three Alternative Cost/Benefit Analyses 


Alternative| Cost} Original Benefit | Cost/Benefit 
Cri ti ealel Be icalit 


22 LSS ‘ 2e0) 












17-38 


The best investment is the one with the lowest cost/ 


benefit figure. Alternative 2 is superior to the others in 


terms of cost/benefit. 


Sec rRit LT LCAL INCIDENT TECHNIQUE (CIT) 

This technique is widely used as a method of discovering 
and attempting to reduce or control hazardous situations be- 
fore accidents occur. CIT examines previously experienced 
difficulties by interviewing persons involved. It is based 
on collecting information on hazards, near misses, and unsafe 
conditions and practices from operationally experienced per- 
sonnel. It can be used beneficially to investigate man-machine 
relationships in past or existing systems and to use the 
information learned during the development of new systems, or 
for the modification and improvement of those already in 


existence. The technique consists of interviewing personnel 
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regarding involvements in accidents or near accidents; diffi- 
culties, errors, and mistakes in operations; and conditions 
that could cause mishaps. The surveys generally request 

the persons interviewed to include their own experiences and 
also experiences of other personnel whom they have actually 
observed. The person is asked to describe all near misses 

Or critical mishaps that he can recall. 

In effect, the CIT accomplishes the same end result as an 
accident investigation: identification through personal in- 
meeavement Of a hazard that has or could result in injury or 
damage. When the witnesses who observed a mishap or near 
miss, but were not participants, are added to those who were 
involved, an extremely large population is available from which 
information on accident causes can be derived. 

Even isolated incidents reported by the technique can be 
investigated to determine whether corrective action is necessary 
Or advantageous. However, when a large number of persons are 
interviewed regarding similar types of equipment or operations, 
Similarities begin to appear in reports of hazards and near 
misses. Where these indicate deficiencies, difficulties, or 
other inadequacies, they can be accepted as indicators of 
areas in which improvements are necessary in the design of a 
product or system. 

This technique provides a source of data on errors that 
Contribute to critical and catastrophic accidents, and obtains 
SaeOrmation directly from operators, who are less reluctant 


to admit errors in nonaccident situations than in accident 
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Situations. The CIT has been used in evaluation of aircraft 
pilot safety and has proven beneficial as a qualitative 
safety technique. 

Fitts and Jones (1947) used this technique very effec- 
tively after World War II when they conducted interviews with 
Air Corps pilots on errors made in operating aircraft controls 
and in reading aircraft instruments. Figure 18 indicates the 
classifications of 460 pilot errors made in operating aircraft 
controls. Over 80 percent of the errors reported can be con- 
Sidered as errors of design: design of controls, their 
arrangements, and their locations. 

Fitts and Jones also made numerous recommendations for 
Changes that would reduce human error, improve controls, and 
increase system effectiveness. These recommendations, many 
of which were incorporated in later aircraft and in human 
engineering standards, are quoted here to illustrate benefits 
that can be generated by this technique as a method of developing 
accident prevention measures: 

a. More than half of all errors in operating cockpit con- 
trols can be attributed directly or indirectly to lack of 
Mniformity in the location and mode of operation of controls. 

b. Substitution errors can be reduced by (a) uniform pattern 
arrangement of controls; (b) shape-coding of control knobs; 

(c¢) warning lights inside the appropriate feathering button; 
and (d) adequate separation of controls. 

c. Adjustment errors can be reduced by (a) automatic fuel 


flow control; (b) simplified one-step operation of wheels and 
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No. of Percent 
Errors Errors 


SUBSTITUTION ERRORS — confusing one control with another, or failing to identify a control when 
owas Hieeded 


a Using the wrong throttle quadrant control (confusing mixture, prop pitch, throttle, etc) 89 19 
fy Coutlusimg flap and wheel controls a2 16 
c Opetating a control for ihe wrong engine (feathering button, ignition, mixture, prop pitch, 

throttle, ete.) 36 8 
d Failing to identify the landing light switch or confusing it with some other control 11 


2 Contusing other controls (alarm bell, bomb-bay door, carburetor heat, cockpit heater, 
droppable gas tarks, emergency bomb release, engine heat, intercooler, oil bypass, oil coller 


parking brake, pitot heat, radio tuning control, salvo switch, trim tab, wobble pump) galt Bo) 
TOTAL Zao 50 
ADJUSTMENT ERRORS: operating a control too slowly or too rapidly, moving a switch to the wrong 
position of following the wrong sequence in operating several controls 
da. Turning fuel selector switch to the wrong tank 19 4 
h Following wrong sequence in raising or lowering wheels 18 4 
Ci Failing to obtatn desired flap setting 17 4 
d. Adding power too suddenly without proper change tn trim g 2 
e. Failing to lock of unlock throtties properly 5 1 
f Failing to rollin trun fast enough 4 1 
g. Failing to adjust other controls properly as 4 
TOTAL 83 18 
FORGETTING ERRORS. failing to check, unlock, or use a control at the proper time 
a. Taking olf with flight controls locked (aileron, elevator, rudder, or all controls locked) 16 4 
b Forgetting generator of magneto switch 14 3 
ce Forgetting to nak e proper engine or propeller control adjustments (mixture, prop pitch, etc.) 11 7 
dd. Faryetting to lower, lock of check landing gear 7 ? 
- Taking off wih wrong trim settings 6 } 
| Taking olf without removing pitot Cover 4 1 
g. Forgetting to operate other controls (bomb-bay doors, bomb-rocket selector switch, coolant 
shutter, flaps, auxiliary fuel pump, fuel selector, hydraulic selector, lights, PO! switch, pitot 
heat, tail wheel lock ) 25 5 
TOTAL 83 18 
4 REVERSAL ERMORS  ioving os Contra: asa direction Opposite lo that Necessary TO produce a 
lesueedd result 
hi Muking reversed thin) COoMmrection ¢ 2 
bb. = Makuny tevetsedh wing tap adjustment 6 
Making reversed movement al an engute of propellor Contiul (mixture, prop prich, etc } 6 1 
| Muking reversed movement of some other control } a 
POTAL a b 
u UNINTENTIONAL ACTIVATION inadvertently operating u Control without being aware OF i 
(Brokes, Curburetus heat, Cowl Maps, generator, lion, ignition, miverter, landing gear, lights, Mastet 
switet, ert heat, radio superctaryer) 24 2 
bs UNABLE 1O REACH A CUNTROL. accent of near accident resulting from “putting Aes wh Cock 
pit tO yfasp d COutrol, Of miahility tO beach v Coutrol al all (Carburetor heat, fuel selector, a : 


mydtuule switch, landing gaat Nose whee! crak rudders] 


Figure 18. Classification of 460 Errors Made by Pilots 
in Operating Aircraft Controls (Hammer, 


97 2a 13:9!) 
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flaps; (c) easily accessible and continuously operable trim 
controls; and (d) improved throttle locks. 

ad. Forgetting errors can be eliminated almost entirely by 
adherence to uniform and "natural" directions of control 
movement. 

e. Unintentional activation of controls can be remedied by 
application of existing anthropometric data on body size 
and use of a maximum reaching distance of 28 inches from the 
Shoulder for all controls used during critical procedures. 

The CIT procedure was described by Tarrants as carried 
out at one plant of the Westinghouse Company. The steps may 
be summarized as follows: 

a. A group of employees with previous experience and 
involvement in manufacturing processes and equipment was 
selected. Each person included was listed according to vari- 
ous factors to produce as wide a range of experience as 
possible. Representatives were selected randomly from each 
maetOr group. 

b. The participants were interviewed and informed of the 
study and its objectives. They were given an opportunity to 
withdraw from participation. 

c. At the end of the interview the participant was given 
a copy of the statement on the study and its objectives and 
a list of typical incidents gathered at other plants. This 
procedure was to stimulate the recall process. 

d. Participants were asked to describe any incidents that 
they could recall, whether or not they had resulted in injury 
Or property damage. They were asked whether they recalled 
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any incident similar to those that had occurred at other 
plants, as described on the list they had been provided. 

e. Questioning was carried on until human errors or un- 
safe conditions in any recalled incident could be described. 

The 20 participants related 389 incidents of 117 differ- 
ent types. Over 50 percent more potential accident causes 
were found by this method than had been identified from acci- 
dent records. One participant estimated that almost 70 per- 
cent of the problems reported occurred every day, indicating 
an almost constant exposure to danger. Once a potential 
accident has been reported, the hazards are corrected so that 
a real accident will not occur. As these hazards are eliminated 
or reduced so should accident frequency and severity rates. 

The major deficiency of this method is that its effective- 
ness will be dependent upon all employees reporting those 
potential accidents (incidents) in which they are involved. 
Usually employees will be reluctant to do so. They are worried 
about their supervisors attitude, their own personal records 
and/or spoiling the company's safety record. Thus data with 


some degree of bias are introduced. 
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toate MEN POF PROBLEM 


Through the literature survey, several methods among the 
existing safety measurement techniques have been discussed 
for measurement of flight safety. From the above discussion 
it is apparent that the measurement of flight safety is an 
area for research and development which will allow major 
improvement in overall flight safety programs. 

A most important aspect in the development of an effective 
safety program is collection and evaluation of data. The 
primary goal of any safety program is to prevent accidents. 
Accident prevention is best pursued within the framework of 
a systematic program. Detailed and well-selected collection 
of factual data is the first step in the development of an 
effective safety effort. By means of an overall evaluation 
of safety by analysis and dissemination of this data, acci- 
dents can be predicted and prevented. 

The Korean Air Force is currently collecting data on air- 
craft accidents. Data categories collected are as follows. 

a. Accident rate and flight time per model and year 

b. Total accident rate, pilot and aircraft loss per year 

c. Accidents by general factors (pilot, maintenance, 
material, supervisor, etc.) 

ad. Accidents in detail per factors (e.g., pilot factor: 


mean, disorientation, unusual, air collision, etc.) 
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SweemiagOor accidents per flight time (e.g., 400 ~500 hrs: 8, 
fee 1000 hrs: 4, 1700 ~1800 hrs: 1, etc.) 

f. Major accidents per flight phases (take off, climb, 
in flight, Let Down, landing) 

g. Major accidents per missions (Air to Air, Air to Ground, 
Instrument Flying, etc.) 

h. Major accidents per rank 

imeeircraft accident cost. 

Many of the data categories listed above are useful and 
lend themselves to analysis (Items a, b, e). There are, how- 
ever, some major deficiencies in data being collected by the 
Korean Air Force. From the accident prevention viewpoint 
mmemeetOr the analysis of pilot error, it would be better to 
categorize the pilot errors of item c as follows: 

a. Design-induced pilot factor (e.g., instruments that 
can not be seen properly because of their location). 

bee Operations-induced pilot factor (e.g., air traffic 
Eenmtrol terminology). 

G6. Environment-influenced pilot factor (e.g., weather 
phenomena such as fog or thunderstorms). 

d. Innate pilot factor (e.g., poor technique, misuse of 
controls, medical and psychological conditions). 

Specifically, the data of items g and h are inadequate. 
For example, item g must include flight time or sorties. That 
is, accident rate must be calculated for each mission. Item 


h must consider the total flight time and pilots of each rank. 
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For example, suppose the cumulative number of pilots, flight 


time, and accidents for 10 years are shown in Table IV. 


Table IV 


Example Data for Ranks by Pilots, Flight Time and Accidents 





flight ; 40,000 1507000 SSOP LoUr O00 |) 30,000 
time 


acci- 3B 18 19 9 9 
dents 


Then, 


(Number of pilots in each rank/total pilots) 
x Accidents 100,000 
Flight time of each rank 


Accident rate 


Total pilots = 400 + 1,000 + 1,500 + 800 + 300 = 4,000 
Accident rate of — (400/4000) x3 x 100,000 75 
Ame Lt. — 40,000 : 


By the same formula, accident rates of lst Lt., Capt., Maj., 
Gest COl., are 3.0, 1.58, 1.13, and 2.25. 

From the data collected above we can only use control 
chart techniques because the data was not collected in detail. 
mee the problem is that it is difficult to evaluate the over- 
all safety effectiveness by this method because the control 


chart uses only the frequency or severity of accidents vs. 
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time (year, month, or week). Accidents must be considered 
Bs emultiple causation events, 1.e., rarely is a single 
factor solely responsible for the event. 
The present thesis effort has been designed to examine 
data currently collected by the K.A.F. and make recommendations 


which will improve data collection procedures and subsequent 


analysis. 
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fen DO ROnCn LO MaaASUREMENT OF FLIGHT SAFETY 


Several measurement techniques applicable to flight 
safety were presented in the literature survey. The problem 
is how should the data be collected to efficiently apply such 
measurement techniques? The author will present several 


methodologies to collect and apply data. 


eee CONTROL CHARTS 

The primary objective of this method is to show compari- 
sons among accidents which occurred in a given period and to 
mioaally indicate out of control situations by plotting fre- 
quency of accidents vs. time (year, month, or week) and upper/ 
lower control limits. A point falling above or below the con- 
Meo Limits, respectively, is indicative of an out-of-control 
Situation, and assignable causes are generally sought. To 
measure flight safety, we actually need only the upper control 
iat . 

It is easy to collect these data. The K.A.F. does, in 
maec, COllect monthly and yearly aircraft accident data. In 
addition, it may be advantageous to add daily and weekly 
data to monthly and yearly statistics. 

Example 
1. Data for accident rate (major, minor, or major + minor) 
per week (given period). 


2. Pilot loss rate per year, month. 
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Accident Rate 


If the above data was collected, it would be possible to 
determine trends of accidents on a daily basis. In particu- 
lar, we could analyze the accident factors (pilot error, 
material failure, supervisor, Maintenance, environment) from 
item j by observing the upper control limit zone. 


Analysis of Existing Data 


The aircraft accident rate of the K.A.F. is as in Table V. 


Table V 


K.A.F. Accident Rate by Year 


pro [ra |r | va [re fas | 76 | a7 |e 
trot Olav woo. 7) 9.5 15./ 1 5.0) 1.4 


Then the control chart of this data is shown in Figure 19. 





10 


* | 


Tos | 6 74~<“‘(pS 67e@)6|0CU77~C«S78~SC=«S793 ae 


mute lon COntrol Chart Applied to K.A.F. Data 
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From the above data, 


a 
2 Sea: 
n 


il 


~ | 
I 
lt 


a 


me Vide. - ()x,)°/n]/m-1 = 2.87 





MeemoradiSstribution is used. For a = 0.05, 
oe Yn UG) 
= 6 GR) as Nay a ee 
¥10 
Pe = xX - t ’ = we OPeGcn 92 202 eee! 
n-1,1-5 Yn AO 
= 4.63 


The accidents of 70, 73, and 74 are out of the control 


limit. So we have to analyze the accident causes of these 


years to prevent or reduce accidents in the future. 


Nave to prepare accident prevention program according to the 


outcome of analysis. 





Let's take a = .Ol. 
Petes = x +t ne ee me ao: eS 
mei das /n = /10 
SECO xe = 9563 
Y10 
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Eee Vn 410 
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ate Sei). 


The accidents of 70 and 73 year are yet out of control 
limit. The control chart is almost the same as test of 


hypothesis. 


iy: Tle Uo 


The acceptance and rejection regions are illustrated in 
Figure 20. Here assume that the hypothesis 1s true and 
use the value of a to determine the "cut-off" point for 


acceptance or rejection. a is the probability of rejection 


given that the hypothesis Ho 1s true. 





Figure 20. Acceptance and Rejection Region 


For Hy: HW = Up and Hy: u > Uo: assuming that Ho is 


true, the distribution is centered at Uo: Now according to 
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the definition of a we will accept a probability of rejecting 


Ho even though it is true. 


Example 


Aircraft accident rate of the K.A.F. was supposed to be 
reduced up to average 5.0 from 1970 to 1979. Was the acci- 


dent level reduced significantly? 


Hy? HW = Up (Accident level was reduced significantly) 
Hy: u > u, (Accident level was not reduced 
Srqntereantly) 


Then from accident data given above: 


2 ae 
Bee ls — Ho or ok Jn 
= 5.0 + ty 0.95 ° ee (a = 0.05) 
ai ¥10 
sweeror Ieess . 2" = 6.66 
¥10 
We know x = 6.68. Thus x > U.L. This means H, is rejected 
and Hy: iS Ug 1s accepted. Therefore we can conclude that 


the K.A.F. has not yet reduced the aircraft accident success- 
fully within given period. If a increases, the value of the 
U.L. decreases and the probability of acceptance Ho decreases 


more. 


B. FAULT TREE ANALYSIS (FTA) 
Fault tree analysis can be used to improve flight safety 
through the identification of safety critical items and make 


cost effective recommendations for their improvement. The 
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identification of failures which impact the safety of a com- 
plex mechanical system of aircraft requires a disciplined 
formal methodology capable of addressing the causes of failure 
and failure interactions at low levels of complexity which 
influence the entire system. FTA can provide such a disci- 
plined methodology and also be applied to quantitatively 
identify critical modes of failure (both hardware and human) 
whose occurrence could cause a hazard in flight. The appli- 
cation of FTA initially requires the definition of a system 
and once the system is defined the basic events are identi- 
fied by starting with the accident and looking for its cause 
at a lower level of complexity. By repetition of this cause 
and effect relationship, the most elementary cause is finally 
deduced. The interconnections of the causal events with logic 
symbols form the branches of the fault tree. The quantita- 
tive evaluation of the probability of system failure requires 
the collection of failure rate data from which basic proba- 
bilities are determined. These basic event probabilities 

are combined using rules of Boolean algebra to determine 
criticality of each basic event. Based on relative criti- 
calities, cost effectiveness techniques can be used to decrease 
probabilities of basic hazards. 

A fault tree is a failure analysis technique which analyzes 
system failures beginning at the highest level of complexity 
and ending at the lowest level of complexity. The upper most 
event is identified as an accident which may have several 


degrees of severity. The degree of severity is not identified 
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on the fault tree diagram but is accounted for in the cost 
Seeectiveness calculation. The tree construction is a logi- 
cal process producing a graphical display of events such 
that all possible causes of a particular failure are shown 
below that failure. Subsystem failures are further subdivided 
and depicted in greater detail until the bottom of the tree 
is reached. The tree is structured to systematically show 
contributory events and failures and their relationship to 
each other and to the accident. Each component of the sub- 
system capable of producing an event is examined and how its 
failure would contribute to a mishap determined. 

According to Hammer (1972), in the application of the 
fault tree methodology the following assumptions are generally 
made, concerning the characteristics of components, condi- 
tions, actions and events: 

a. Components, subsystems and similar items can have only 
two conditional modes; they can either operate successfully 
or fail. No operation is partially successful. 

b. Basic failures are independent of each other. 

c. Each item has a constant failure rate that conforms 
to an exponential distribution. 

The benefit of the generalized fault tree structure 1s 
realized through the general applicability of the improvement 
recommendations, derived from the fault tree analysis. 

The author will draw a fault tree diagram based on the 
Meee f. ailreraft accident data. The primary factors of K.A.F. 


aircraft accidents in the 1970's were classified into six 
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Categories, 1.e., pilot, maintenance, material, supervisory, 
environmental, and unknown factor. Fault tree must include 
detailed fault factors from top structure to subsystem, but 
K.A.F. data has not been collected in sufficient detail to 
evaluate the most effective use of FTA. For example, material 
factors of K.A.F. are shown in Table VI. What was the basic 
event Of flight control in Table VI? Was it pitch, yaw, or 
roll failure? If the failure was due to yaw, what was the 
basic event of yaw? Was it caused by wear, shock, or vibra- 
tion? The fuel system can be included as a subsystem of 
thrust control and also must be divided into subsystems. 
Data presented in Table VI is inadequate for applying FTA. 

Among the primary factors of K.A.F. data pilot, main- 
tenance, supervisory, and environmental factors are human 
error. Fault tree diagram of K.A.F. accident data is shown 
in Appendix B. More subsystems and basic events were added 
to illustrate a sample aircraft accident fault tree and develop 
the methodology for collecting and applying data. A method 
to collect data will be described below. 

1. Data Collection 

For FTA, the data is not confined only to major and 
minor accidents. Incident and Forced/Precautionary Landing 
data are also included, i.e., accidents are sorted into cate- 
gories such as: 
a. Major accident 


b. Minor accident 
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Table VI 


Material Factors by Year of Accident (Major & Minor) 


ie. 73 75 76 VL 78 

Item 
Figs Goi SCE 

eee = 


mative see] [| 
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eee incident. 
ad. Forced/precautionary Landing. 
Basic events which will be contributed to accidents 
in these subcategories are: 
a. Supervisory factors. 
b. Psychophysiological factors. 
c. Environmental factors. 
ad. Material failure. 
e. Maintenance. 
Sample format of supervisory factors is shown in 
Table VII. More detailed data to be collected is presented 


fm oection V. 


feeeevelopment Of an Equation for Corrective Action 


Recommendations 

This section concentrates on the development of an 
equation by which to evaluate cost effectiveness in terms of 
parameters derived from the fault tree analysis and parameters 
which may be readily estimated from the data. 

The cost effectiveness index provides a measure of 
dollars saved per dollar spent in implementing recommenda- 
tions. It is based on the projected percentage improvement 
in criticality if the improvement recommendation is implemented. 
The cost effectiveness index is the ratio of cost savings to 


improvement cost. 
CE = = (5) 


where: 
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CE = cost effectiveness index 
Co = cost savings 
Cy = improvement cost 


The cost savings may be expressed in terms of the 


difference in total accident cost achieved by implementing 


the improvement recommendation. This may be expressed as: 
Co = N(C, = Car? (2) 
where: 
Co = cost savings 
N = number of accidents 
Cy = cost of accident without improvement 
Car = cost of accident with improvement 


The general cost of a single accident may be expressed as: 


GS, 3 eu en L OO. Ys (3) 
where: 

Gree=— Criticality 

Cy =eCOSe Of a) COtal lost 

a, = probability of an accident being of severity 1 

as relative cost of an accident of severity 1 

ae = J] - major incident 


eg 





aL = 2 - minor accident 


ae = 3 = incident 


t- 
tt 


4 - forced/precaution landing 


This equation may be rationalized in terms of the 
Criticality representing the probability of an accident of 
any severity occurring due to a given basic fault. The 
probability of the accident being of severity i is then 
(CR) (a). The cost of an accident of severity iis (Ci) (y,)- 
The cost likely to be incurred due to accidents of all 
severities is the sum of the products of these terms as 
expressed in the equation above. 

The criticality after implementation of the improve- 


ment recommendation may be expressed as: 
CR = (1-8) (CR) (4) 
where: 
8 = percent improvement in criticality 


The cost of an accident after implementation of the 


improvement recommendation may then be expressed as: 


Cae = (1-8) (CR) (C,,) L OY. (5) 


By substituting equations (3) and (5) into equation 
(2), an expression for cost savings is obtained in terms of 


parameters which have known numerical values. 
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c pence. = C..) 


S A AI 
= ee eri i meee ICR ig Peis) 
= N(CR) (C,,) {1 ponent AY : 
Thus 
= MB ICRI (C.) 00475 (6) 


An expression for the cost effectiveness ratio is 


obtained by substituting equation (6) into equation (1). 


of NB (CR) (C,,) 
eee Se 
I I clog 
Thus 
a 
GE ei Ne (CR) ct ass (7) 


In order to apply this formula we have to set up a 
general criteria for each item. 

eemperiticality (CR) 

The author uses the definition of CR suggested 

by Birnbaum (1975). Let g be a function that computes the 
probability of the top event in terms of the basic event 
probabilities. To generate this function we need a Boolean 
expression for the top event in terms of the Boolean variables 
of the basic event. The outcome of each basic event at time 


t has an indicator variable Y, (t), 
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l when basic event 1 has occurred at time t 
Y, (t) 2 


O otherwise 


If the state of each basic event is random, the 
probability that event i occurs by time t can be defined to 
be F(t). Hf A, (t)dt is defined to be the probability that 
event 1 occurs between t and t+dt, given that event i has 
not occurred by time t, then F(t) can be expressed in terms 
oum A, (t): 

1 
-~ f dr, (t)dt 
0 i 
F.(t) = l-e 
i 


A, (t) 1s commonly referred to as the hazard or failure rate 
eeetime t. 

If we construct a fault tree where the top event 
is system failure and the basic events are component failures, 


then Birnbaum's definition of component importance becomes 


Jee Ge) 


F(t) gil. ,F(t)} -gi0, ,E(t)} 


where g{F(t)} is the probability that the top event occurs 
by time t. The above expression is the probability that the 
system is in a state in which the functioning of component 
1 iS critical: the system functions when 1 functions, the 
system fails when i fails. The probability that the system 


is in a state at time t in which component 1 1S critical and 
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that component i has failed by time t is the criticality of 


the ith basic event, l.e., 


CR = [gtl,,F(t)} - g{0,,F(t)}IF, (t). 


Example 


Assume that the fighter aircraft accident data 
(including incident and forced/precaution landing) of the 
K.A.F. was collected for a 10 year period and a fault tree 
diagram was constructed the same as in Appendix B. From 
this diagram, the number of basic event accidents due to 
insufficient experience is 3. What is the basic event 
failure probability, head event probability and basic event 
@epercality? 

Before solving this problem, assume the following 


data was collected. 


Total flight time of 


feghter alrcraft oy 0.0 hr 
Total sorties 586,600 
Average flight time leds; hr 


Assuming an exponential failure distribution, the failure 


rate 1s: 


z 3 a -6 
r = ONS OL = 4.95 x10 Y Aas 


PEebability of basic event ‘limited experience' is: 
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Be) = l-e P= ose oe” x 1.033 


eee ae 


For basic event ‘inadequate training', 


Z -6 
r eusmnou eee ex 'O°* 7hr 
F(t) = kt = 3.30 x 107° Zeleee O55 
= 3.41 10° 


Then, the probability of flight beyond capability P Ss 


pa 
2 
1=l 
-6 =6 
= d= {1 -+5.1%x*x10 )(1-3.41 «10 -) 
= 8.52x107° 
In the same way, 

Pai eo nobanility Of fauley fligne plan 
eon aol 

Pi = Probability of inadequate Wy analysis 
eo ae 

P43 = Probability of poor crew coordination 
= S.10~100- 
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Pis = Probability of inadequate briefing 
4 Bail “ie 
Poy = Probability of supervisory error 


6 6 6 


Maemo. <0 ~ ) 


Lees Ge 10 )(1—-3.40x<10— 


1 (1 =8.52 se Oyeb =o nome 


eee in 


If we collected all of the other event data and 
the probabilities of each event calculated as in Table VIII, 


then, by using the procedure with AND or OR gate, we have: 


Table VIII 


Failure Probability 


Environmental Condition e203 aloes 


Psychophysiological -5 
Disturbance 2.057 0 

















9.25x10 
5 






marust Control 8.55 x10. 


Landing Gear elon ons 
Unknown Crash 1.20x10> 
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Beebablility of pilot error = 5.80 Salta 


6.81x107° 


Probability of human error 


Probability of material failure = 2.40 < ila 


Probability of head event failure = 3.20 eOme 


Smeeculation of criticality: 
If the ith component ‘Insufficient Experience' 


failed, 


g{l,,F(t)} = 3.20 «107°. 


If the ith component ‘Insufficient Experience' 


didn't fail and the head event failure occurred, then 


Pome 0 <10s3- 0 
Thus 
¢ eG 
P ee gee ee = (1-0) (1 -3.41 x10 °) 
lh a 2 
jl 
Been 4 <10°° 
mG G 2G 
Po = 1 - (1-5.10 107°) (1-3.40 10°) (1 -5.11 x 107%) 
6 6 


ea >. oem) (1 =8241 x10 —) 


oe ae 


Finally we get the probability of head event failure as 


ms x10"*. ‘Thus, 
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4 6 


4, (Spex EO.) 


@eee= (3.20 x10  =3.15 x10 


= 2.56x10 77 
b. Number of Accidents (N) 

An estimate of the number of accidents in the 
remaining service life of fighter aircraft in the K.A.F. 
would be calculated if we knew the average sorties flown per 
year and the projected remaining life of operation. Suppose 
the average sorties flown per year was 58660 and the average 
operational life of fighter type aircraft was 8 years. 

From the fault tree it was determined that the 
probability of an accident of any type of basic event 1s 

4 


3.20x10 °. Then the number of accidents expected to occur 


in the remaining operational life is: 


N = (58660) (8) (3.20x107") = 150 
Though the above value was derived by estimate, its absolute 
value is unimportant since ranking of cost effective proce- 
dures id based on a relative figure of merit. 

Geeeerercent Improvement in Criticality (86) 

The percent improvement achievable by implementing 
suggested improvement recommendations for the particular fault 
is based on an engineering judgment. 

Gd. Ratio of Total Loss to Improvement Cost Ze 


Total loss is equivalent to the average acquisi- 


mon cost of all types of fighter aircraft. For each 
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improvement technique, estimates can be made of the cost to 
implement the improvement as a fraction of the acquisition 
cost, C,/C,, 

e. Relative Cost of an Accident of Severity i (Y 5) 

The relative cost associated with a given accident 

depends on its severity. Accident costs will be normalized 
with respect to the average of the manhours required to com- 
plete repair or replacement of major damage for all kinds 
@aesignter aircraft. 


Suppose we know the following data. 


l. Major Damage Classification 


Presoae | soo aw | ve] wo] mo 





2. Minor Damage Classification 





Then the average of the manhours required to complete repair 


or replacement of major damage for all types of aircraft is: 


(500 + 600 + 700 + 800 + 911)/5 = 700 
iie average manhours of minor damage is 140. The relative 
cost of a minor accident is then 140/700 = .2. The same ratio 


Can be applied in relating an incident to a minor accident 


and a forced/precaution landing to an incident. Assume the 
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Meet vye COSt Of incident is 0.03 and forced/precaution landing 
is 0.004 for calculation of COST effectiveness as an example. 
fF. Probability of an Accident Being of Severity i (o, ) 

It is often the case that basic events have 
different probabilities of inducing accidents of varying 
severity, 1.e€., some event will always result in a major 
accident, whereas other events may induce a major accident, 
Minor accident, incident, or forced landing. The probabili- 
ties depend on other interacting elements in the system. 
Therefore, in arriving at a cost effectiveness index, the 
criticality of a basic fault must be weighed to reflect its 
impact on accident severity. This is achieved by introducing 
era ctor Os into the expression for cost savings to account 
for the probability of a given accident severity. The evalua- 
tion of this parameter requires an engineering judgment to 
be made of the probabilities of a basic fault causing acci- 
dents of varying severities. 

peuple calculation of CE 

Assume that the accident occurred from limited 
experience (Basic event 1.8 of AppendixB). The cause of 
failure was due to "order to pilot beyond capability on 
flight". The corrective action recommended is an establish- 
ment of experience criteria. The cost effectiveness of this 
recommendation is: 

From collected data and engineering judgment, 
assume we have Bg = 703%, a, = 10%, a, = 40%, a, = 40%, n= 10% 


1 
and C5/C,, = 0.1. Then 
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cm 4 
CE = N (CR) (—) P OY s 
ieee ee 
MeISOr 07 «(2.56 «107--) «op (0.1 x 1.0 


fOr merce te). 2x) .03 re O.1ex 0.0004) 


a ee 


The relative cost effectiveness is obtained by 
proportion of the above value to the most cost effective 
item in the list, 1.e., set the most cost effective item to 
be 1.0. For example, suppose supervisory error in maintenance 
has the greatest CE value of 65, then relative cost effec- 
tiveness of 3.5 in Appendix B is 1 and accident due to limited 


experience is 5.17 x 107/765 = oe ne 


Example cost effec- 
tiveness ranking is shown in Table IX. We can decide the 

basic event fault is not critical and then it will be eliminated 
from Table IX (e.g., if CR < 107+°). 

FTA was suggested as a method of system safety 
analysis which can improve flight safety through identifica- 
tion of safety critical items and make cost effective recom- 
mendations. FTA is a detailed deductive analysis that usually 
requires considerable system information. It can be a valua- 
ble design tool. FTA can also be a diagnostic tool in that 


1t can predict the most likely causes of system failure in 


the event of system breakdown. 


ae 
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Mec RITLCAL INCIDENT TECHNIQUE (CIT) 

mae CLT consists of a set of procedures for collecting 
direct observations of human behavior in such a way as to 
facilitate their potential usefulness in solving practical 
problems. As a measure for accident research, it reveals 
causal factors in terms of human errors and unsafe conditions 
that lead to aircraft accidents and it provides more infor- 
mation about accident causes and a more sensitive measure of 
total accident performance than other available methods of 
accident study. 

The CIT has been used to collect both accident and near 
accident data without any discrimination being made between 
the two types of data. However, in particular cases the 
investigator may confine his attention to one or the other 
type of data. 

By collection and categorization of common errors from 
human factors data in aircraft operation, possible direction 
of accident prevention and recommendation will be provided. 
For example, if we collect data of specific experiences from 
pilots in taking-off, flying an instrument, landings, using 
controls and using instruments, then the data may provide 
many factual incidents that can be used as a basis for 
planning research on the design of instruments, controls, 
training, and the arrangement of these within the cockpit. 

To be useful the incidents must be detailed enough a) to 


allow the investigator to make inferences and predictions 


or 





about the behavior of the person involved and b) to leave 
little doubt about the consequences of the behavior and the 
effects of the incident. 
The two primary steps included in the critical incident 
procedure are: 
tie collection of the Data 

The most important item for accident research is the 
real data in detail. The CIT is frequently used to collect 
data on observations previously made. This is usually satis- 
factory when the incidents reported are fairly recent and the 
observers were motivated to make detailed observations and 
evaluations at the time the incident occurred. 

The practical problem in collecting the data for des- 
cribing an activity refers to the problem of how it should 
be obtained from the observers. This applies especially to 
the problem of ponte enc recalled data in the form of 
critical incidents. Three procedures for collecting data 
are described below. 

a. Interviews 

The use of trained personnel to explain to observers 

precisely what data are desired and to record the incidents, 
making sure that all necessary details are supplied, is 
probably the most satisfactory data collection procedure. 
This type of interview 1S somewhat different from the other 
types of interview and a brief summary of the principle mis- 


hap factors involved will be given. 


oe 





b. Questionnaires 

If the group becomes large, a questionnaire pro- 

cedure is convenient. 
Geese eorad YoOrms 

One other procedure for collecting data is by 
means of written records. There are two varieties of recording: 
one is to record details of incidents as they happen. This 
Situation 1S very Similar to that described in connection with 
obtaining incidents by interviews above. 

A variation of this procedure is to record such 
incidents on forms which describe most of the possible types 
of incidents by placing a check or tally in the appropriate 
place. 

As additional information becomes available on 
the nature of the components which make up activities, obser- 
vers may thus collect data more efficiently by using forms 
for recording and classifying observations. 

2. Analyzing the Data 

The collected data of a large sample of incidents 
provides a functional description of the activity in terms 
of specific behaviors. The purpose of the data analysis stage 
1s to summarize and describe the data in an efficient manner 
so that it can be used effectively. 

For analyzing the data we have to consider two pri- 
mary problems involved. These problems will be discussed 


below. 
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a. Frame of Reference 

There are countless ways in which a given set 
of incidents can be classified. In selecting the general 
nature of the classification, the principle consideration 
should usually be that of the uses to be made of the data. 
The preferred categories will be those believed to be most 
valuable in using the statement of requirements. Other con- 
Siderations are ease and accuracy of classifying the data. 

b. Category Formulation 

The induction of categories from the basic data 
in the form of incidents is a task requiring insight, experi- 
ence, and judgment. The usual procedure 1s to sort a rela- 
tively small sample of incidents into piles that are related 
to the frame of reference selected. After these tentative 
categories have been established, brief definitions of them 
are made, and additional incidents are classified into them. 
During this process, needs for redefinition and for the 
development of new categories are noted. The tentative cate- 
gories are modified as indicated and the process continued 
until the incidents have been classified. The larger cate- 
gories are subdivided into smaller groups and the incidents 
that describe very nearly the same type of behavior are placed 
together. The definition for all the categories and major 
headings should then be re-examined in terms of the actual 
incidents classified under each. 

A major problem area in CIT involves actual data 


collection. The following items will be applicable to interview 
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mamcecord fOrm in order to collect human factors data in 
aircraft operation. 


ime Description of the occurrence 
ae Alrcraft 
(1) Model 


(2) Configuration when anomaly occurred (gear, 
Plans, en rust,  £uel, Guantity, etc.) 


Type of operation 
Time and location 
(i) Local time 


(2) Elapsed time since departure from parking 
area 


(3) Phase of flight 
(4) Geographic location 


aa Nature of the anomaly (describe the deviation from 
normal or expected performance as precisely as 
possible) 


e. Radio navigation facilities in use and type of 
navigation 


f. Detection of the anomaly (Identify the person 
responsible for each pertinent decision, command, 
action, communication or interaction with others) 


(l) Who first noticed the deviation? (Aircraft 
commander, air traffic controller, maintenance 


personnel, or others (explain)). Who should 
have? 

(2) What brought it to his attention? What should 
have? 


g. Cockpit environment preceding the anomaly. 
(1) Was there anything unusual about the operation? 


(2) Were there any distractions immediately before 
the anomaly occurred? 


(3) What was the weather at the time of the 
occurrence? 


h. What actions immediately preceded the anomaly, in 
order of occurrence? 


Cpmeebicmwany sor Ehese actions contribute to the 
anomaly? 


(2) What decisions motivated this action? Who made 
them? 
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(3) What information was the basis for the deci- 
sions? Was the information correct? 


i. Was there any indication before the anomaly that 
MeEVicamgollguronoccun OF might occur? If so: 
(1) What was the indication? 
(2), ) Who motrced it? 
(3) Was it noticed immediately? If not, why not? 
2. Recovery following the occurrence 
a. What happened after the anomaly occurred? 
(1) What decisions were made? 
(2) By whom? 
(3) For what reasons? 
b. What actions were taken to correct the deviation? 
(1) By whom was each action initiated? When? Why? 
c. What effect did each action have? 
(l) Did it help recovery? 
(2) Did it hinder recovery? 
d. Did any complicating factors arise during the 


recovery period? (After the initial deviation, 
other events can occur while the crew is recovering 
from the first one. Be careful to identify these.) 


Was normal operation restored? How long did it take? 
Was safety threatened at any time? 

(Ll) If so, what was the nature of the threat? 

(2) Was it recognized at the time? 

(3) Who recognized it? 

(4) How was it recognized? 

(J eedeweloncg did it last? 


(6) What was done to control or minimize the 
threat? 


(7) Could the threat have been controlled more 
effectively? 


oe Background 


a. 


If pertinent, describe the history of the personnel 
involved and of the airplane and facilities utilized 
ie endo se light. 


(l) Nutrition and rest: Describe meals as to time 
eaten and type of food and sleeping time. 


(2) Were there any medical or physiological problems? 
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(3) 


(4 ) 


) 


(6) 


Describe the crew's rest and duty schedule 
for this flight sequence. Was this flight 
their scheduled activity? 


a) Do the pilots believe the duty or rest 
schedule was a factor? 


b) Describe their activities during the 
preceding day. 


Were there any problems within the flight 
crew with respect to discipline, coordination, 
ability, personality factors? 


Were there any other problems (ground support 
personnel, controller, management, others) ? 


Were any other factors pertinent during the 
Perlodeprlor FO flight? 


b. Describe in brief the history of this flight prior 
to the occurrence. Emphasize any decisions, actions, 
events or omissions which might have been related 
to the later anomaly. 


cs) 
ey) 
(3) 
(4) 


(5) 


(6) 


Was servicing and ground support normal? 
Were there any supervisory problems? 
Were there any ground or flight delays? 


Were there any problems at the departure 
alrport? 


Were there any air traffic control or airways 
facilities problems? 


Was weather a problem at any time? If so, how? 


Analysis and recommendations 


This section should contain only the opinions and 


recommendations of the person reporting the occurrence. 


a. Was the situation evaluated correctly when the 
anomaly was detected? 


ay) 
(2) 
(3) 


If so, were any special factors responsible? 
If not, why was the evaluation incorrect? 


Could anything have improved the accuracy of 
the evaluation? 


b. Was the detection of the anomaly as prompt as it 
should have been? 


(5) 
(2) 
-) 


If so, were any special factors responsible? 
If not, why was there a delay in detection? 


Could anything have improved the speed of 
detection? 
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Was the recovery from the deviation the most 
effective? 


Was there any problem in flight crew management or 
coordination? Describe any deficiencies, problems 
Or comments in detail. 


Was the entire flight managed professionally and 
effectively? 


(l) If not, what might have been done better? 
Was Air Traffic Control involved in any way? 


(l) If so, was the problem due to ATC handling or 
Miseaue ELons 2 


(2) If so, was there any flight crew misunder- 
Standing of ATC handling or instructions? 


(3) Did ATC do anything to minimize the problem? 
Was any airplane system involved? 

(1) Did maintenance contribute to the problem? 
Was this a fairly common problem? 

Was pilot training adequate: 


(1) To have prevented this occurrence? 


ae bOmcorrect Or Control it under these 
circumstances? 
(3) To cope with it under all circumstances? 


Were any of the following involved in any way? 
Mims@ ,. ROW ? 


(1) Flight crew supervision? 
(er Eleiterarspatch? 

(Er ght jomeground=support? 
(4) Other? 


Supplement (for interviewer only) 


a. 


Was the reporting person's memory entirely clear 
as to the details of this occurrence? If not, in 
what areas did he have difficulty remembering 
details? 


In your opinion, did this incident pose a threat 
to flight safety? If so, how and why? 


Add any additional comments or opinions you may 

have as to the factors involved in this occurrence 
and as to measures which might prevent such problems 
in the future. 
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oe @eeomlecrerng the data by the methods given 
above, we can analyze the data. The sample size must be as 
large as possible for categorization. Table X is the classi- 
Fication of pilot-error experiences as a result of analyzing 
the data. This is just an example to show how to analyze 
Piercaata . 

In summary, the CIT is used as a method of dis- 
covering and attempting to reduce or control hazardous situa- 
tions before accidents occur. 

In effect, the CIT accomplishes the same end 
result as an accident investigation: identification through 
personal involvement of a hazard that has or could result 
in injury or damage. The CIT has been used in evaluation of 
pilot safety and has proven beneficial as a qualitative 


safety technique. 


Dee OlLHER STATISTICAL METHODS 

In general, accidents are not single causation events, 
rather multivariate factors. So we can use many kinds of 
statistical methods to analyze the data. Multiple regression 
analysis and cluster analysis are widely used. Different 
statistical methods can be applied to the collected data. 

The following is an example of the use of statistical 
methods. Suppose it is important to determine if there is 
a statistically significant difference between the pilot 


factor accident rates of experienced and inexperienced pilots 
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Table X 


Example Classification of Pilot Error Experiences 


Type of Error Number of 
Errors 


i: Errors in interpreting multi-revolutim instruments 





a. Errors involving an instrument which has more 
than one pointer (e.g., misreading the altimeter) 


b. Errors involving an instrument which has a 
pointer and a rotating dial viewed threugh 
a window (e.g., misreading the tachometer, 
air~speed indicator) 


2 Substitution errors 
Mistaking one instrument for another 


Confusing which engine is referred to by an 
instrument 


Difficulty in locating an instrument because 
of unfamiliar arrangement of instruments 


3 Reversal errors (e.g., reversals in interpreting 
the direction of bank shown in attitude indicator, 
reversals in interpreting direction from compasses) 


4 Errors due to illusions: Faulty interpretatim of 
the position of an aircraft because body sensations 
do not agree with what the instruments show 


Bs Using an instrument that is inoperative 


Signal interpretation errors: Failure to notice 
a warning light in the aircraft, or confusing 





one warning light with another 
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(in this case, the "experience" and "inexperience" would have 


to be defined). Choose some time frame and let 

hy = number of flight hours flown by experienced 
pilots 

he = number of flight hours flown by inexperienced 
ea Loecs 

a, = number of pilot factor accidents involving 
experienced pilots 

a, = MUN ne Oreo rot Lactor accidents involving 


inexperienced pilots. 
Then the rates for experienced and inexperienced pilots are 


(a x 100,000) /h, and (a,x 100,000) /h respectively. We 


it 2. 


want to test the null hypothesis: 
H,: There is no difference in accident potential 
between experienced and inexperienced pilots 


H,: Not Ho 


Testing H, amounts to testing a hypothesis about the success 


0 
probability in a binomial distribution. Let a and h be the 
number of accidents and time, respectively, for the group 
with the larger accident rate (e.g., a = ay and h = hy, it 


the experienced pilots had the higher rate). 


Let 


We will reject H, if p and p differ too much. Compute 


0 
co BAX 2a), where X has a binomial distribution with 


Parameters n and p. Thus, 
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DY ' ; _: 
wr eae aaa) aes 
l=a 


Let a be the significance level of the test (e.g., a = 0.05). 


moe > a/2, then accept H That 1s, we would conclude that 


0° 
there 1s not sufficient evidence based on this data, to say 


there is a difference between experienced and inexperienced 


fees. fi T < a/2, then reject H, and conclude (at signifi- 


0) 


cance level q) that there is a difference between experienced 
and inexperienced pilots. 

The above test 1S an example of a two-sided test. It is 
designed to answer the question, "Is there a difference 
between experienced and inexperienced pilots?" A one-sided 
test could be done to answer the question, "Are experienced 


pilots safer?" The null hypothesis in this case would be: 


H,: experienced pilots are not safer than 
inexperienced pilots 


For this case, let a = a. and h=h ancecemoute  T,50, ), 


I le 


and n according to the same formulas as before. We will 


Bemeet: H if p is much larger than p. If T > a, we accept 


) 


H That is, we conclude that there is not sufficient evi- 


0° 
dence, based on this data, to say that experienced pilots 


Seeeeoccereiwlth Signiiicance level o). If T < a, then re- 


ject H, and conclude (at significance level a) that experi- 


0 


enced pilots are safer. 
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V. CONCLUSIONS/RECOMMENDATIONS 


Aircraft accidents are rarely caused by a single factor. 
Generally, accidents are the end result of system deficien- 
cies, human error and design deficiencies coming together 
Simultaneously. The most commonly designated cause of acci- 
dents 1s human error. For flight safety, a systematic acci- 
dent prevention program should include consideration of all 
possible sources. Accident prevention 1S best pursued within 
the framework of this program. There are certain fundamental 
concepts and methods which, if properly applied, can increase 
the probability of success in the determination of factors 
contributing to an accident. Several methodologies for the 
measurement of flight safety and data collection have been 
proposed in this thesis for inclusion in the K.A.F. safety 
program. 

The primary goal of accident prevention progam is to 
prevent mishaps. Therefore, the K.A.F. needs to develop 
a safety program based on the following data collection and 
analysis methods: 

l. Develop a format which will describe each element 
(e.g., pilot, maintenance, supervisory error, material 
failure) in detail. For example the U.S.A.F. has 
developed a system for accident data collection (see 
Appendix C) which provides for a comprehensive con- 
Sideration of variables involved in flight safety. 


The following elements are contained in the U.S.A.F. 
data collection system: 


a. Ground mishap report. 


De eabweratt filagat Mishap report. 
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Aircraft maintenance and material report. 
Life sciences report of an individual. 


Psychophysiological and environmental factors. 


Mh @ & QQ 


. Personal data. 


K.A.F. needs to consider the application of the 
critical incident technique (CIT) as described in 
Section IV to collect and analyze data. CIT is 
used in evaluation of flight safety and as a 
qualitative safety technique. 


Use the format of system safety hazard analysis (SSHA) 
for fault tree analysis. In system safety analysis, 
the results of SSHA should be used to determine what 
safety requirements are needed to minimize and con- 
trol hazards to an acceptable level. The SSHA should 
be accomplished by a systematic evaluation of each 
subsystem /component to determine how much each 
element/subsystem could potentially contribute to 

a specific hazard. A sample format of SSHA reporting 
is shown in Appendix D. 


Finally, the following fundamental data should be 
filed in the computer for use in a safety analysis 
and program evaluation. 


Group data 


(1) Total number of pilots engaged in flying by 
month and year. 


(2) Flight time of Command, Wing, and Squadron in 
month and year by model. 


(3) Total number of accidents in month and year by 
Command, Wing, and Squadron. 
Pilot 
a. Biographical data 
(1) Name 
(2) Rank 
(3) Date of birth 
( 


4) Date of graduation from undergraduate 
PlroileecbaiIming 


(5) Wing and Squadron assigned 
(Gj lOtalerlicght time 


(7) Total jet time, conventional aircraft time, 
helicopter time 


05 





[Loci Seructor time 

(9) Total weather/instrument time 

(10) Number and type of accidents the individual 
has had. 


bs Accident data 


(1) Name of personnel involved 
(2) Date of occurrence 

(3) Type of mission 

(4) Phase of mission 
(SJaeeeuratiwen of fElrght 

(6) Type of accident 

(7) Prime and contributing factor 
(8) Days since last flight 


(9) Hours flown in last 24 and 48 hours 

(10) Sorties flown in last 24 and 48 hours 

See eeeours flown in last ./, 30, 60, and 90 days 
(eZee lLGtal time in this alrecraft type 


In addition, similar data should be collected on main- 


tainers, supervisors, air traffic controllers, etc. 


Aaceratt 
(1) Model 
(2) Total flight time 
(3) Date of last major inspection 
(4) Flight time since last major inspection 


Accident research is a systematic, empirical, and critical 
investigation of associated factors and their relationships 
in an accident. For this research, reliable and valid acci- 
dent data are necessary. If the data are collected in detail 
and correctly by the formats and techniques proposed, it will 
provide a convenient method for a researcher to use in the 


development and application of a safety program. For example, 


nai 





the analysis of the variables or causal factors of aircraft 
accident such as human error, material failure or malfunc- 
tion, and adverse influences of the environment on man and 
machine will allow the researcher to develop an analytical 
model for a specific mishap. There are several multi- 
variate statistical techniques (e.g., factor and component 
analysis, cluster analysis, regression analysis, etc.) to 
analyze the accident data. These techniques can be used to 
determine significant interrelationships and to correct sys- 
tem inadequacies (1i.e., what caused or allowed the accident 
to happen). Also, remedial actions (i.e., what can be done 
to preclude the occurrence of an accident) will be proposed. 
Finally, application of the findings and recommendations 
are needed. Qualified investigators, researchers, and safety 
officers are necessary at each level of organization (Figure 
21) and a feedback system should exist between and within 
each level. If a mishap occurs (here mishap includes major, 
minor accident, incident, and near miss), it has to be inves- 
tigated and reported by a reporting system to Air Force Head- 
gGuarters Safety Section through the Command. In the H.Q. 
Safety Section the data must be encoded, analyzed, and recommen- 
dations made known by the dissemination of mishap results 
and findings should be passed to Wing and Squadron through 
the Command. The Squadron must then take action on this 
recommendation. The recommendations including general trends 


of mishap components must be passed monthly to Wing and Squadron. 
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Action Activity 


Investigate 
Mishap SQ & Wing 


Prepare 


Report Report 








Wing 





Report 

Encode 

Analyze Analyze HO Safety 
Recammend Section 
Review 


Disseminate Cammand 
Dissemination 


Implement Wing 


if 


Take Action SO 


megune eZ ta Prepesed Intormation Flow for R.O.K. 
Safety Program 
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Appendix E is a sample trend chart developed by the U.S.A.F. 
and applicable to the K.A.F. 

The safety program described in this thesis possesses 
the potential for reducing overall operational costs and 
Maximizing aircraft availability. The end result of such a 
program can only serve to increase operational readiness 
and thereby maximize overall efficiency and military capa- 


migeity Of the K.A.F. 
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APPENDIX A 


BOOLEAN LOGIC AND ITS APPLICATIONS 





Boolean algebra was developed originally for the study of symbolic logtc. Its rules and expressions in mathematical symbnils 
permit complicated pronositions to be clarified and simplified. Boolean algebra 1s especially useful where conditions can he 
expressed in nO more than two values, such as yes or no, true or false, on or off, up of down, go or no go It has found wide 
application in areas other than symbolic logic. For example, it 1s used extensively in the design of computers and other 
electromechanical assemblies incorporating large numbers of on-off (switching) circutts. Other uses are in probability analysis, 
studies involving decision making, and more recently, in safety and fluidics. The chief difference between the various disciplines 
in thetr employment of Boolean algebra is in notation and symbology. Since the information in this section presents basic 
elements only, expressions most commonly found in safety analyses will be used. 


A set is a group of objects having at least one characteristic in common. The set may be a collection of objects, conditions, 
events, symbols, ideas, or mathematical relationships. The unity of a set can be expressed by the number 1, and an empty 
set, which contains none of these, by 0. The numerals 1 and 0 are not quantitative values: 1 + 1 does not equal 2. They are 
merely symbols. There are no values between the two as there are in probability calculations. Set relatronships are sometimes 
iflustrated by Venn diagrams. The following rectangle represents a set of elements that have an undefined common characteristic. 
In addition, a subset has the characteristic A. All other elements in the set do not have the A-characteristic and are considered 
being ‘‘not A,’ designated by A. A is the complement of A, and vice versa. It can be seen that the total of A and A 1s the complete 
set, expressed mathematically by A + A = 1, where the left side of the equation is the union of A and A The + sign is reacl 
“OR”, and may be designated in mathematical expressions by other symbols, such as U. 


©} COO [@] @ Oo 


The second diagram illustrates the concept of disjoint, or mutually exclusive, sets. The elements of one subset are not included in 
the others, and therefore are not interrelated (other than being in the same set). In this case, however, because A, B and C 
contain all the elements in the overall set, they are said to be mutually exclusive and exhaustive A+B+C- 1. 


The third diagram indicates that some elements of A also have 8 characteristics These are indicated by AB. A Bor AY B. 
called the intersection of A and 8 The intersection contains all the elements with the characteristics of both A and 8B When 
all elements with the characteristic A are counted, those in AB will also be counted. The remaining diagrams in the row illustrate 
some of the relationships between union, intersection, and complement. Numerous other relationships that can be «mploved 
in mathematical expressions have been develooed, some of them having been designed as laws. These are listed beinw, with same 
explanations on their meaning in Boolean logic. 


RELATIONSHIP LAW EXPLANATION 

at = A Full and Empty Sets The only portion within 1 that is both 1 and -\ 1s 
that within A itself 

A 0:0 Animpnssible condition: if itis within the set, it 
cannot be outside the set 

A+Q=A The element in a subset plus anything outside the set 
wiil have only the characteristics nf the subset 

At1=1 The whole, expressed by |}. cannnt he exceeded 

A -~A Involiition Law The complement of the complernent 1s the iten itself 

A.A =Q Complementary Relations An impossibility; a condition cannot be both A and A 


at the same time. 


At+Az] Those elements with a specific characteristic and 
those without it constitute the total set 

AA -A Idempotent Laws An identity 

AtA=A Also an identity 

AB BA Commutative Laws The elements having both characteristics have ther 


no matter the order in which expressed 


iW 





RELATIONSHIP LAW EXPLANATION 


The total o! those elements having the chatacterista 
Aor Bwill be the same no mutter the order in 
which they are expressen 


A+B BtA 


The elements having all the characteristics A, Band 
C will have them no matter the order i whicte expressed 


A(B-C) =(A B)C Associative Laws 


A+(B+C)=(A+B)+tC The total of all the elements in any subsets will be 


the same no matter the order in which expressed 


The union of one subset with two others can also be 
expressed as the union of their intersections 


A(B + C) ={A B) + (A-C) Distributive Laws 


The union of one subset with the intersection of two 
others can also be expressed by the intersection 
of the unions of the common subset with (he other 
two. 


A+(BC) ={A+ B)(A+C) 





A(A+ B) =A Absorption Laws A(A +B) =AA + AB=A+ AB since AA =A, 
A+ AB = A(1 + B) = A since B is inciuded in 1 
At{(AB)F=A A+{A-B)=A+AB*=A(1+B)=A 
mo -A+8 Dualization The complement of an intersection 1s the union of the 
(de Morgan's} Laws individual complements. 
A+8 = A.B The complement of the union ts the intersection of the 


complements. 
Other useful identities are frequently used for simplification of complex Boolean equations. Four of these are: 


Identity Derivation 


Using the Distributive Law: (A+A)-{A+B)=A+B 
Using the Distributive Law: A A+AB=AB 


Expanding the last two terms: (A + B) (AA + AC + AC + CC), CC =C. 
AA =0,AC + AC =CiA+ A)=Ci(1) =C, andC + C=C, 
remainder is (A + B)C, or AC + BC. 


This can be simplified by adding a term such as A + A The lett 
hand side then becomes: AB + AC + BCiA + A} = AB(1+C) + 
AC(1 + 8) = AB + AC. 


A+AB=A+B 
A.(A +B) = AB 
(A+ B)(A+C)-(A+C)=AC+BC 


AB+AC+B8C=AB+AC 


elem 


GATE (CONNECTIVE) SYMBOL EXPLANATION TRUT4 TABLE 
A+B The OR connective indicates that when one or A+B OR 
more of the inputs or governing conditions 1s ar (False) 
present, the statement will be true or an output 011 rien 
OR will result. Conversely, the statement will be false ee eae 
if, and only tf, none of the governing conditions es (Tre) 
A B is present. 
A-B 
The ANDO connective indicates that al! of the ; . ag heaica 
governing conditions orvnputs must be present 04 0 (False) 
ANDO for a statement to be true. !f one of the conditions 1 0 0 (False) 
r g Or iNputs Is missing, the statement is false 1 4 1 (Trae 
A+B 
The NOR connective may be considered a ‘not OR” A+B NOR 
state It indicates that when one or more of the Oo) 1 (True) 
inputs 1s present, the staternent will be false or no Ow 0 (False) 
NOR output will result. When none of the inputs, neither 1 O 0 (False) 
r 8 A nor B.'s present, an output will result. : ae | 0 (False) 
A:8 The NAND connective indicates that when all of the RENAN 
inputs of governing conditions or inputs are not 0 0 ' eneya 
present, the statement will be true or there will be 0 1 1 ne) 
NANO an output When all of the inputs or governing jiaed 1 (True) 
conditions are present, the statement will be false 1 1 0 (False) 
A B or there will be no output. 
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FAULT TREE DIAGRAM FOR CRITICALITY ANALYSIS 
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Peat C 
REPORTING FORMATS FOR DATA COLLECTION 


GROUND MISHAP REPORT 
f‘Camplete anfy aoc licante items) 


1, ORGN. COmO & G@ASE BYBMITTING APART 3, MISHAP TYPE 9, SEVEMITY CLASS 4. 04396. B43E COCKE @ RPAT $2: ALAL 


TJorensvomee | Ty de 
a eos see [| 





OATE OF MISHA 


a i: - i: 


Bamncieleemnio ein amc 
EC La 





MISNAP LOCATION 9. WEATHER ( } NOT 4 FACTOR 
Meee ea 
ico | fewow | OQTHwWER (E eptain) 
| jroo | 


$02. LOC aL Time Wt LIGNT CONDITION 


Tore dS ren 
Bios ue ee 





MISMAP INVOLVED 


8. 
ea FIM ESE APLOSION 


(2. @evmOPere (WAal happened and why) 






t6e PERSON REPORTEO AS NO. 


AoNAME, GRACE ANC 904% Ge ASSIGNED ORGN. 490 AND COMO GC. OUTY avec/ e. SEX 
2O@ Sanice 








*. COMPONENT [ }mor ammcicsarce LTaTus ' 


m wiurTany imac TC OAR Pal ni] Ylew peas 
Per nerve | [ormtn ua mie over) Pee duereem | | teeave | ren 
romeien we (Sensi) [[reswen | [vourmrre |" [ Temsees] oor 
Me PRE-EXISTING PmVYSICAL/MENTAL LIMITATIONS 2 ~Onm € 1, OF FPICTRAS Onur 
TTeceonee [oaveue ] [evoviowne | [nesame [ [evenent ] [omvnene | [osrea : 
fvciren [ex orve | fonuce | fetes) —SSSSS~CS~*dSC*dt nv 


J. OISABILITY CLASSIFICATION [_) INsUAY ae. (Lim ecse (ex) NONE K, IMZUMY TYRE & LOCATION 












PROTECTIVE EQUIPMENT 
| a 







Me CAF ETY TG (fdentifp ing end give canplerian detee) 






lw, INVOLWEO 408 TRAINING 


Yormecrer ~~ [ecoumea | Fos] re Joare comers 
“Tmomecrer[ooeousre| res] }ro! 


Bo UNBAPE acT 






Rm, ACTivity av Time OF ast Bu ae 





foasmemience wirm tase [ [ourvessSO—CSSOSSS*dYSCOd een dove vee 


1a, = Se + AIRCRAFT REPORTED MO. 


VEMICLE ", vee 


| Muy-dGOv? 2@imo @. CITATIONS 199UEO (Spectiy) 








, VENICL © ACTIVITY/ROAG SURFACE le OPERATION {4- O4mace cos? 


USAF PROPERTY CAMAGE 


Ae TYP E/CEEIGNHA TION PROPERTY CAmM46€E0 @, OANMER (MAIC OM) 


fC. OE 6CM1e€ GAmagEe 


ao ae Se ae ee 


Go. rorauw 47 .o8e 



















@, a7 MAATY C4magE GC. MONM-2F BOTY CamagEg 









1?. GCOURCKE OF REPORT O4TA 19, VAL REPORTING OF FICIAL (Tyrpe name, grade ond titie) 





20. PESPONSIOLE COMOR/s FUME TIONAL MOR (Typo 
newe, grove end iitie) 





ales 





AIRCRAFT FLIGHT MISHAP REPORT 


(Ty be filled vut for onncipal atreruft involved Appropriate itemt only snouts be silled out on secundary atrcraft } 





§ MISHAP CLASS 2 ACF T MOS & 3} OaTE 4 UNIT CONTROL NO $9 ACFT ACGSIGNMENTI/STATUS 
coog 


SERIAL NO 


Oa Oe 
Oc OJ o«astr 





PILOT(S) INVOLVED (FLIGHT CREW) 


6. OPERATOR AT CONTROLS 
A. LAST NAME, (INITIALS @ COMPONENT 


c. POSITION IN AIRCAAFT AT TIME OF MISHAP O. NATIONALITY 
[Front sean] [cerrsear] [meanseat] [aicur seat | [sumesear | 


F. MAJICOM, NAF, Oliv, WG, SO ASSIGNED G. MAJCOM. NAF, OIV. WG, $0 ATTACHES FOR FLYING 














7. OTHEA PILOT 
A. LAST NAME, INITIALS 8. COMPONENT 


¢c. POSITION IN AIACRAFT AT TIME OF MISHAP O MATIONALITY €. AGE 
[Front send [ucrrseat] [acansead [micnr sear] [vumeseat 


F. MAICOM, NAF, OlV. WG, $Q ASSIGNED G. MAJCOM, NAF. Civ. WG. SO ATTACHEO FOR FLYING 








8. OTHER PILOT 


— ae eC 


é: POSITION IN AIRCAAFT AT TIME OF MISHAP O. NATIONALITY 
[Fronrsear] [cerrsear] |eeanseay [aicur sear] [sume sear] 


F. MAITCOM. NAF, OV. WG, $0 ASSIGNED OC. MAJICOM, NAF, OV, WG. 30 ATTACHES FOR FLYING 








9. OTHER PILOT 


ce POSITION IN AIRCAAFT AT TIME OF MISHAP O. NATIONALITY 
[_Fronrseat] [cerrsear] [neansead [eicnr sear] | sume sear 


F. MAICOM, NAF, OV. WG. SO ASSIGNESD G. MAICOM, MAF, OIV. WG. SO ATTACH EO FOR FLYING 











10. CLEARANCE 





LM io 
[ven] [vw] Jeoean] [orvoes_| [omect | [amwavs | [wo cceanance ] [ra] 


tt. OURATION OF FLIGHT 12. TVPE OF MISSION 13. ALTITUOR/ELEVATION 


14. FHASE OF OPERATION 






16. METEOROLOGICAL CONDITIONS 
. = OCOvec CsimutL arco ime Orr ansition 





Mime QCon tor Oven im tmc CONDITIONS 
7 AIRFIELO OATA APPLICABLE TO TAKEOFF ANO LANDING MISHAPS OCCURRING WITHIN 2 MILES OF AIRFIELO 





A. FIELO ELEVATION (Lert) 8. COMPOSITION OF RUNWAY 
OC asepracr (©) CONCRETE Oorwan/(Spech) 


GC. LENGTH OF RUNWAY €. OISTANCE OF TOUCHDOWN ° SURFACE CONDITION 
{heeft} FROM RUNWAY (Fret) 


O. LENOTH OF OVERRUN H. COMPOSITION OF OVERRUN 
(Spectfvj 


4. CONOITIONS AFFECTING OCCURRENCE (hur erample. fi pe uj uisirument ur lighting approach used. vostrucnungs Sarrtier airspeed. grou 
weight, forced landtug) 





ff eee ane fever pederes see retvedird (bleh ( pews we port tume mitarnetnud reguwed an wldinural sheet fur cach 
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AIRCRAFT MAINTENANCE AND MATERIEL REPORT 


le AI RCCAFT SEM ey wumMe® Ze MISSICN SESIGN AnQ SERPTES (HS) 





a: HISTORICAL OATA 
Troray furaut moves SCOT SCSCSC™S*~C~—“—stSCtid ee weed 
Meera ee toe 
Pwaues simce vast scmeoutco tse, [0 wore usr cooe fd 
eee. 4 
Saas 





















OATE OF LAST SCHECLLED INSPEZTICN TO@ @EQUESTED | rES See ye8 [0] sa] 
ees ee et orien lee alow 
a en een 
meee ee eee 


ENGINE 
(Complete a Column for each Engine) 










Mi |. | LCST 
Mao ls | | +4. +d 
MMA). |. 
aaa | CS CCC CCS 
Rie | ae 
anor 
Paouns since wast inaveuceo | SS 
Poste or cast sontovsen inseecrion | Sid SSCS. SSCS SSCS 
irre or vast semtousto mavretton | OSCSCSCSCSC“‘“dRSNNCSCSC“‘#NNN 
Ramadan | Si CCCCCd  CTTTCSCS~S 
[ron eeavesres™—SC~—~“‘*~*sdSC“‘SCCSCNW#C#*”’ aan 
4. 


SOAP SAMPLES 
(Engine, CSO. Geerdon of APU fe:luce of which occurred of wee suepected) 

















1 TEM AND SERIAL NUMBER 





| cues sivce | moues SiNcr 
ao fae aGiaL f Cul os v1 


DAMAGED AIRCRAFT 
(Purniah complete demege informetion under Leb “L'. See AF Form Titb) 


Oawact fO Alacmary 
OCSTROYLO OR CAMAGED OLYORO CCONCMICAL REPAIR 


("] suseramriat [J] woe (7) cess tHan winoe on none 


FIRE OATA 
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wMaReOURS TO ME FAIR Cost iCSTi mare} 
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FLUIO 
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Oue 


PNEUMATIC Ormwea (Specify) CLECT@ICa, Ime 
SYSTCu SUL ATION 
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SvVSTCw ( Specify) 
Preumari¢ UNRNO OR 

system * 
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LOCATION OF {INITIAL FIRE 









SsvSsTCu 








ee 
Pea ieee fo lana 
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e. MISCELLANEOUS CHEMICAL EXPLOSION OATA 


arr eee coon ance 


nf ty OF ® 
IMETEAL IGNITION OCCUR@EO IM An ENPLOSIVE INTENSE OF €XPLOSION @AS SUFFICIENT TO 
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ke e é 
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CWALCOs' ON OCCL ebro aFrTee FC at Sarenercen iment. JTwWEM SEGuoreranr gave (Specify) 





ECPL ASIAN CCF BOER FLAKE QUENT TH Cette peewee. 


‘MEM Tee AB NOT avall sare 





eae 





ee eee 
Vib. PSYCHOPHYSIOLOGIC AL aND ENVIRONMENTAL FACTC25s 
INSTFUCTIONS: Complete on ell occupants of aircraft, poe ote OF wi SMaP 














pacice IMPORTANCE 


all injured persons, and all persons possibly cone a acct Otmwr CEC imtTeLy 
Cributing to the cause of the si shep. Supervisory t ESCAPE CONTRI OUTED 
fectora attributed to persone not in the earcvcraft L + Landind 9: SUSPECTED Factor 
end such factors wa design or weethear should be ree 3 guaviver (CIinciudes ° COMOILTIONM PRESENT 
ported only for the person in primery control of the parachute landings) gut 010 NOT CON. 
alreraft. Factors contributing to injury during ae atdcuc TRieuTe To acc! 


midewir collisions, craah Lendings, ditechings, ate., OtmT Of twsURy 
age to be considered part of survival phese. Use 

cedes at right to show only those factors present or 

contributing in each phose. 





ee eAcTORS AV eT sie | FACTORS pATETLTS |? | 


ft. supervisory actors | SORY FACTORS Se 
Li ao 


inaeeouaye wavering] | Lf | orsonsentarvonrveerios | | | 

onoeaco/iceonruveutetvonocerenrerty vos] | [ [| [eros tel | | | 

[reon_eate coosormetion {| ff | | wrevenraros 

fermen cSeneitry) ref PY fone ee] 
TTT Jest wonorce corso ee 


es 
fmemernem LE Pe ee 


Travury fuienT Puam pufcmannegizeo arrewriom 00 eae) Tt 
See 1staaction ne eS 
FAULTY PREPARATION OF PERIONAL CQUIF. 203 | | | tL ecoceysarion eitmoensonar roomcus eze] | | | || 
fvamseooeranruec eT | LL eecenzive worsvervon ro succeto sz] | | | | 
foruaveo oesseruse 20 | | | [ovencomrvoence tte TT) 
fiwapeouare eeatacn anauvars te | | | | | cate ov seur-comriomee. —-ea7)_—~+| ~~ 
ormen ¢Seeeifr) tee Td ace or conrroemee tm courewenr ze {fy tt 

a TE a aaa 


as ewrensecermmmne eons YL eer 


fimageouate taamaition 301] ee re eT 
fuimeveo roray capcarence | goat ||| $a 
[uimirco aecent cxeentence seat ttt 


[ratune rouse accerreo saoctounts 3904] | ||| yea yiponmENTAL FACTORS 
reer i. 


ACCELERATION FORCES. Ime FLIGHT 701 


ACCELERATION FORCES, mr ac? 702 Sawa e 
conn {Spee =e 


ara 2 ll 
fperemmisrrnomrarcs cmedaaie(o || [eee 
POILUAE OF INDTRUMENTS, CONTROL) son} {| | | | | swoee. rumes. ere. sti aie || 
cn PWT A GP 
Sone a eine 
LIGHTING OF OTHER GiACRAPT soot | [| { | | etme orast 70e aa 
[pensoma_couipwent intcarentwce cor} | || || vis atstacetarwee. waze oanmness 710] ||| | 
fevence cers eee ee] [Pf ff wns eee TTP 
forwen (Specify) sawp | VID. RESTM.©OUdT, SMORE, ETC... IN ACET. 792 

ee rae eae CC 


ee a eee TTL 
easeusee sees 
sii ees 


ee co aay ama 
_ 


Parseeeo reatawenrioy te] TT Td 
prroemnsenens nero [TTT | Pereira ener 

Carnet ov rout ineranent esp PP 
| F000 PONIONING — ss—i—i—isSCsit POUIONING eect 4 fe] Visuay RMOEXTOC. OY COUIP. ETaUCTUNES 806 i a ae 
eco reo | freee ovensercnation ort 
Lorwen secure wuness wot || maocouere coosormarion on riweng  soe{ | | | | 
Ptieaieatreeistine cisesseoertcr ieeay ff | | aessuoceo reco oe oisrance soe} ft 
eo eg ET If sekecrco seoscicouese of serion gop ft tt 
are eee) | [ec Avia raping seecgsasy scriow eee] | of ft 
psucer oepervarion. sarroue sort ft fff rou ation on muscur ouscreurse ert} ff yt 
a ee CO avicaeiom ay ewene et 
rn IMAOVERTEN? OFEM, SELFE ieNucTO R16 Me te 
| OMG) PeCSCRIACO AY wrorcar oreices 810] | TMAOVEMTENT OPER wECHANIC ALLY 14OUC 615 mp by 
poeucs. orwem et Soo -yewgea ( S@ecilfy) ee | 


Name OF INODIVIOU aL 












O'rwea 
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Iv. PERSONAL DATA 
1. ROLE OF THIS INOIVIQUAL IN THE CAUSE OF THIS ACCICENT 
TG CNET cans dt dow 


C. OUTY OR ROLE AF TIME OF ACCIOENT 


2. BACKGROUND DATA (Complete foe eli palotsa and othere she possibly contrsbuted 


&. OATE cast LEave 6. DAY$ OUAaAT IN La§ 
EnOtO (Dey-Me.-VYr.) Leave 






ta wishep. ) 














Cc. TYPE OF LAST LEAVE TAREN 
CONVA. 


—E. OURS FLOONM IM LAST 24 F. MOUMS FLOON Im LAST 68 G. SOMRTIES FLOM 1m Lag? 
HOURS aOURS 24 mOURS 













0. OATE OF LaST PREVIOUS 
rLicuy (Dey-#e.-Yr.) 


4. SORTIES FLOeNM IM LAST 40 1. MOURS PORREQ 1% LAST 24 Je. HOUNS #S08KEQ Im LaST 46 RK. MOURS SLEPT IN Las? 
MOURS nouns MOURNS HOURS 


































HRSG. CONTINUOUSLY 
AGAKE "# R108 TO 
MiSmaP 


O. wOURS DUAATION OF 
Last SLEEP PERIOD 


4OuRG CONTINUOUS 
OuTY PRION TO MIS- 
waP 


Me Me wae 





Time 31% COCKPIT 
Paice TO FLIGHT 
(Hre.. Min. } 


Le. MOURS SLEPT Ih 
LastY 480 MOURS 










@. QUMATION PREVIOUS 


Q@. BATE LAST PREVIOUS 
FLY. TIS MOOEL 


FLT. Yrs MOOEL 









OEPLOVEO yumers 


$. OATE OEPLOVED T. MO. OAYS IM AREA U. TIME SINCE OCPLOY- 
ment 


3. PHYSIOLOGICAL ANO VERTIGO TRAINING (For eff pereenne!) 


MPLET q 
TYPE OF TRAINING ACCOMPLISHED PLACE FRAIMING ACCOMPLISHED | comPtereco | LErEo cone 
4, ANTHROPOMETRIC OATA 
OayTe oF erate (Dey-Menth-Yeer) O. SITTING HEIGHT (Incheon) G. BUYTOCK-ANEE LENGT achean 
— Se 


Ce. WEIGHT (Laan. ) 1. SHOULOEM @IOTM (@IDELTOIOH 
(Snehee)} 


3. TOTAL VEARS OF FORMAL EQUCATION 6. GRADUATION FROM UNDERGRAQUATE FLIGHT TRAINING 


AVIATION SCHOOLS ATTENDED SINCE GRADUATION (Inectude data of conpistion) 











FLYING EXPERIENCE 
(Aetech cepy of individaei tlying seperience a0 autiined by AFR i27-2) 


Ase TOTAL FLYING HOURS (Including AF tine, atedent end 
ether sceredited tine) 


FIRST PILOT ANd 

















@.ORIGi MAL s€RONayTi. 
CAL MATIWG AnmQ OATE 


PRESET sAECROnauUT!. 
CAL MATING Ang OaTE 





AVIATION SERVICE CODE aNd FLYING 


er te 
» 
Me i=. | 


mawe OF HHOive over 


ACTItviTY CATEGORY {1a/1, 









§ Fer rela in misheop (ltem 3). 








the fettlosing coden sill he aend) 





0-Me inportence 2- reining aneeshiv haliped 4-Lech of training posewdia fecter 






§.fesianing deliniteoty rotiped §3-Leve of trarareg foliartan fectar %.Unbaoen 
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LIFE SCIENCES REPORT OF AN INODIVIOUAL INVOLVED IN AN AF ACCIDENT/INCIOENT 
SECTION A, AIRCRAFT ACCIDENT/INCIDENT 
(THIS FORM IS AFFECTED BY THE PPIV ACY ACT OF 1974 - SEF LAST PAGE} 








LCUD CONOITIONS 


— | einer 


Z-umoeacagr J- iN CLOUDS 


Tim€ AT CABIN ALTITUDE 


@-ormer (Specify) 
#e1N ant Our OF CLOUDS 


- AMOIENT AL TITYOE aT Tiwe Time AT AMBIENT mORIZON 


OF EWERGENCY (Femt) mgr ALT! TUDE 
MINUTES 2-083CuU FEO 
t 
aa PLACE !N FORMATION 


ecsimcte srecearr | | teteso | | were 13 SUBATION OF FLIGHT 


: yo OTmen (Specify) 


= MEDICAL IMFORMATICNH 
DEGREE OF INJIL 2. Bays wOSPrtacizZec 


emi gs 
S+-wasOR iG 
Land , 
ee en | ve fear ae oe eae 


tn 
eaveeR 
INCURRED OURING MISHAP Lee eranderd normencieture 270 cocine for Nature end 
ae of Inygucy (Line |) end Externai Cause (Line 2° Aiso indicete end code Locetion, 
Pheen of Miecheo, end Problema (Line 3). See AFM 12722 for specific itnetructiona ) 


MATURE AND LOCATION 
@. E€xTeamat Cause 
CC. LOCATION, 





HORS MINUTES 





oo we 
















3. 





OaYS IN QUARTERS 











&. GROUNOEO-OuRMATION ( Days} 









UNCONSC!CU$.0UPRT! 7 























a. 












PHASE OF MISHAPS, AND PROGLEMS 
A. MATURE ONO LOCATION 

@. EXTERNAL CausE€ 
Cc. LocaTion, 


















Pu ASE OF MISHAP, PROBLEMS 





4, 
a. 
Cr 


MATURE ANDO LOCATION 
ExTEAnNaL Cause 













LOCATION, 








PueaSh OF wI gnats, PROOL EMG 
&, wMaTYURE ANDO LOCATION 
@. ENTERAL CAUSE 


CC. LOCATION, 














PHASE OF mISMAPY, PROGL EMS 





A. 
8. 





MATURE ANG LOCATION 
ExnTEAma. CAUSE 














GC. LOCATION, PRASE OF wISmAPS, AND FROQLEMS 


J 
aa TESTING] ESL 
eaneon wonontoe [| ieee 
i ee nm CL 
Pie | 


aw eee eee 


@. AReMay AESUL TS 





















OILSEASES/OREFECTS PRESENT aT TiwE OF MISHAP 


TE 
aNNY AL Sica ayt3°gy aeurwoeity 
ae ec Ca 





O1aGrosi 9 


AUTOPSY CONDUCTED 8Y 


PATHOLOGIST? a 


12, REmMARaG OR CONTINUATION OF ssOove 








T-FROTEM TISSLE 















13. mya MEL LP aBILI ry F281 The 


Cj ves (J *0 


MAME OF INODVIOU aL Caerttl OF wtymaP 
LEAVE AL atin 
ASSIGNEO unit Mare OF ASSIGvvEtnt aest | 7. wean aa ee -% 
“Cc. wc 


a . 
aimceas’ wO5 ALO nar i Cag Marry wast | 
| 






CANS nO 


c@1 ret ae 
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/ 


my. TRAINING RELATED TO THIS ACCIDENT/ INCIDENT 


agpsc(or other) TAAaINING NAME OF COURSE O09 UF Davey afTENTE? APT ETUOR $CIAFS SOPLICAQLE 





PERSONAL AND PROTECTIVE EQUIPMENT ¢ Speer fy ail applecable items of equiprent 


on appropriate Iiinae and indicate ali types af clothing ana anv other equipment that influenced saperatran) 


NOMENCLATURE 4NO QE- t AVAiL» 
MOOEL DESIGNATION JIeEO | aBLe 


weAD PROTECTION a eee eee 


EYE PROTECTION | t 
EAR PROTECTION | | | 


eer Se ae 
CLOTHING WORN t Dwi ie 

oe ee LT 

Rome | 

Sec ee (ee 

PRichm | | lomsp | 1|. |. COS 

Se 

recsvemincsisutoe ee Td 


VEHICLE /EQUI PMENT 
a Sk a INSPECTION CERTIFICATE 


TINTEO RECESSED STEERING OATE 
WINDSHIELD WHEEL Gales Ay a 





- O'S. 
xec0€D | carnoeo | & 75? PROBLEMS 








PAODEO OASH 


Rt 





MECHANICAL CONOITION (Indicate by (0) Satiafaectory of (u) Unaatisfactory) 


a ee icicle eres |e stor tcanrs SSS 
Vil. CAUSE OF INJURY OR DEATH 

D[astavca steeamma coum | emwomiac | [ewson «dC Cid ounce aed 
ie erg rsintsommoseer [eee | orem SCS 


J°PEQDESTRIAN STRUCK Me STRUCK SUBMERGED 
xP 
BY VEHICLE pecewoue | oe ie eer 


EE vsornee 


Vill. ACCIOENT AREA AND CONDITIONS (Specify all applicable :tenrs) 


TYPE OF ROAD ROAD 
Ll SURF ACE —— COND! TION a RES Ook _ CONFIGURATION 


| | teconcrere | | | teary | 1sONE I uiconcaneu or | 1- $TM@AIGHT 
Renee er eee ee ee 
I eC CT 
ft seorer | se sts pseorvicea ros cave | 
CMSs ieee | eae 
ae cc 
nce een ee 


iX. Ne 


TwIS SECTION’ DUCLUMES MITICBL, PFASOUVAL OND FVLP Arne APE BALh AR TERETE AELATNA ON THF APO CEN YT aNGy/s 
OR INJURY C4USATION. Tee ANSLYSIS$ OF ALL FACTORS ae MEON TAL OFCICEAs, sits APPAOKPGL ATE JECQOVMENCATIONS AASEO OM 
FIQST wang OMSEAvVATIONS 19 OESIMEN. INTLL OF CP NP LOGE ML A eT SF AT PTL UTHER DE OME VIDUS ~F we. 721FO@ ALL PER 
SONS POSSIBLY CONTRIBUTING °9 UNSHAP.) (Continue un addittanal cheet tf necestary ) 

















ee | - mm i 


a. h (Optrvaal) 


taante OF TDs 60 148U 












EGRESS - SURVIVAL GENERAL (Complete for aii! 
iN ALRACRAFT $. 






tadividuels 
OROER OF £$caME (Tat, Ina 











LOCATION 


1 © COCeFrr? OR FILOT°S COmPROTWENT 











7 REASON(S) FOR ESCAPE 


{More than one way eooily) 


ees 2 2 NMOVICHTOR’ S/ENGINEER’S COMPARTMENT 


P| 2 = PASSENGER'S COMPARTMENT ( Singte Seck) 


A © PASSENGER'S COMPRRTUENYT f Upper sect) 






one Aer URESE TPLOSION scaerTtoe juratr 
ee et @-t0ss IF CON TOOL ea GPOUNO STRUNG, }uMPacTr 







@ PASSENGER'S COwPaRtTuEnT (Lower deck) 


LONGITVOINAL LOCATION et |e ores 
ioe (emer oisrs ne eecersmicere[ comnicariows. eevee ro cscare | 
Te ee me eines sae 
ire sn (Oro 


| as 
9. NUMBER OF PREVICUS 


Cry fC jJumPs JUMP 
=" op CE 
2 METHOO OF ESCAPE (More then one may eppiy) 
fT teaccowrersneo (Free of etrerafty TERRAIN OF PARACHUTE LAROING/CRASH SITE 
ea eric seierracecticiciccricp (| eruareceee | ie tees 
cc TERETE AE 
TT icsecours vance (Free of sseerely | erate anten omte[[eraeviner veer nant 
ego cs el sere ew atte vee 
Mitcsam nce 
PT oceerirrecy nar arveseren | ners | feereet 
ea aie ccc Ge (u-err eens | vores covers 
"emergency ground egreen) | | us eumwavsoveneun || 
|| sccawareovassisteo our AIRCRAFT ATTITUDE AT TIME OF ESCAPE 
Me Ceeremtrnn reac en tcuT mmm er ET itee en fitane or efter ereeh, ditcning. ete.) 


| sf ee unmnown IF ESCAPE acCcomePL SHED ee cave 
[|__| ertscsres wetnoe yrenoes 


Ext? useo a OOen Shim 











































femOmmar Exit (Brection efter blowing canopy) 


SS ee ee 
[[a-nowmat_exrt (Through eononr) sd mnt OOSSCOSCSOSOSCSCSCSCSCSSCS 
i a a 


S.. COCKPIT/CABIN CONOI TION AFTER !MPACT 
ae 1-STM@AIGwT AmO LEVEL 


Jominge oamace (Oefiartely *abittedbie) 
area J-uUNE Oey 














than canopy ftoee, etc.) 











Z-REASOMAOLY imTACT (Probsbiy hebvbitedbie) 












aha Ree nea Ae 





opperfunrty to eetcepe. 

‘Use the fallowing codee eta 
shew cale tre:aring pleyed 
erm thee wmrphep. 

















O-mQ 1° CaTANCE 


amet scar 


$-FORiming OCFims TEL VY wmERPEO 
Om reece 





Te TRAIMING POSSIRLY wmEL PED 


3+LaCKR OF TRetmIinG OEFIMITELY 
& *acToe 





4-- ace OF 
a eac Toe 





FRAINMING POSS IOLY 


O-UNMe NOB 


meme OF INDI VIOUAL 





2G 









EJECTION OR BAILOUT (Compiet« for ali inflight escapes and ejections) 





. TIME FROM ONSET LNTIL ESCAPE ATTEAPT was INITIATED 1O POSITION OF EJECTION SEAT AT TIME OF EJECTION 


1 
{SEE UCL CR CEC TE CR a eC 
2 


DELAY IN INITIATING ESCAPE DUE TO ener PoINTEAMMEGIATFE POSITIC ee P-UNE/NOT APPLIC ARLE 











S€Ppanate TUMBLING 


T. @TTEMPTING 2. AVOIOING 3 AVOIOING t= METHOD OF SEPARATING MAN FPOM SEAT 
TO OVERCOME POPULATED UNSUITABLE 
PRoOOLEM AREA TERRAIN 0-010 NOT 2-$PON TANEOUS 
$- LOSI9G @. 10316 
acTirvo at RSPEED S-OTwWER 





TERRAIN CLEARANCE AT TIME OF 9-UNKNOON 


PARACHUTE CPENING | Q1@SPFEEQ at fiwt OF 
(Fant) ESCAPE TYPE OF SEAT SEPARATOR 


Wide aac [onace — 
a PROTERT ve neuer meuwer visor coneneo [[orvevemure | [erswosenss [| ERSTE 


APasténto METHODS OF DEPLOYING PARACHUTE 


Paw SMEARS aa | Oe [eneecrteves [| cavemen een 
eee fa ier eae ence 
fousime_eontss | ||| |_| ||| | [etenomvens id) i serie ed 
A 

[tanned 


CMINM STRAP FASTENMED MAP E STRAP FASTENEO 
SNUGLY SMUGLY PARACHUTE OPENING SHOCK 


Se Sneaureiane eC a 


ZERO LANYARO 
a 8 Den EG: 1*0g O- 9- 
“OSCILLATIONS LiGtare emarte UR 
Oe avait ae e/noar 


WnEm CONNECTED 


Z-pmion 10 ESCAPE ee 
OURING EMCRGENCY PARACHUTE DAMAGE (Given numbar) 


gee RUavieete | |teunenome SEVERCO S#ROUD LINES TOWN PANELS, MAJOR 


SURVIVAL FACTOR 


OfNn AmELS. MIND 
Dp “MOT a FACTOR 1-FACTOR IM SURVIVAL 
SURVIVAL 
Cash (pac tomlin CAUSE OF PARACHUTE DAMAGE 


. RUTOMATIC LAP BELT RELEASE [TP avroutes on ascent |_| 


1-MELEaSED 2°OP ENEO B-DrmER ( Vewcrid PUNE NOON MONE 
MANUALLY 


auTg. a$ 
CESIGNED 
IMAOVER- cOne 408 


2° aMOTHER e OIRECTION OF ORIFT/OSCILLATION 




















1*PRIOR TO EMLRGENCY 
























t+Twis 


imeOe viOUaLl 


IwOrvrOuUal FACEO AT CHUTE LANOING 


1-DIRECTLY 3* QUARTERING 
| | Deer. wor arrcwmreo | | t-accomPtisneo PECUNS FeCUNS 





















= TeaTTEwRTEG Unsuccesa A | Jounn +f aAtTEWPTEO ee te QUARTERING a S-ouRneeriy | [seueenom | 
METMOO OF IMITIATING REMOVAL once S10CeAavsS 
Bee cence | 76 NANGINGTCOROT TIONS 

feiisoming == CS MANUALLY UNLOCK EO ype UNDER PahacrwyuTlE 
B-otwer (Describe; 

7 eveeT ION i 


PARACHUTE LANDING POSITION TECHNIQUES 


tog * 
1+ Twigs Z-anOTrwren 9-o Tne a a pee ee cue eg Fee esca weno 
INOIVIiOuaLr INOtVYIOUAL UNE NOW JF ELL FORWARO | ee OTE ®/UNRSORN 


Pewec MANET AY FaTLH OFS SO MOR ea Set Oke t p veuae | 






















O'stanC€ ORAGGEO ( Yards) 















Ns 


edt FEFOEE LANDING 


Po 


oe 


——= — 





wl at mo sei “ets 


ee ee - ome ee ed 


eS | | \ 
Pena nee: 2 


Je. Feaan eeeerices { E | 


@erarigay | Sec em iem 1t FN fae gin 
= == =e @& em ee oO a a — a — 2 ae © One _——_ - .- oe ee ee 


Beige ey ; {@- 


FEEL ATION Pak 4 





- a 


PLE SING Coe 4 





-t Met, Cot FE 











Mami ay 16 Ferber ays 
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USAF MISHAP REPORT 


(Fill in all epeces appliceble. If edditional space ts needed, use additionel sheei(s).) 


+, DATE OF OC CURAENCE (Dey, 2. VEHICL Efe) OFM MATERIEL INVOUL VEO (Model 3. FOR GROUND ACCIOENTS ONLY 
Month end Y eer) designetion end eeriel no. if epplicebie) (Beee Code end Repart Seriel No.) 


a. PLACE OF OC CYURAENCE. STATE, COUNTY, SOISTANCE 2NO DIRECTION FROM] 6. HOUR 4ND Time a 
MEAREST TOWN. (FF ON BASE, (OENTIFY. |\F OFF BASE GIVE OISTANCE FROM ZONE LOCAL GI OAay CC) wtenr 


NEAREST BASE, 
CT) oawn Cj ousx 


ORGANIZATION POSSESSING OR OWNING VEHICLE OR MATERIEL AT TIME OF MISHAP 


_ «itl —- | | | 


(Liet orgentzretionse of second vehicie, il they diller lram liem 7 eboave) 





9. ORGANIZATION ANO GASE SUBMITTING REPORT (Do not ebbreviete) 


LIST OF PERSONNEL OIRECTLY INVOLVED 
(See AFR $2742 lor epeciiic inetructione) 


Og¢agrte |; OAYS tosr 
INJUAY 
(Use Abbe) 


1 (Bator eppliceble lecter(e) in DEGREE INJURY column. Nonew¥; Temporery TotaleTT; Permenent Pertiels-PP; Permenent Totel-PT; 
FeteleF; Missing) 


11, PACTUAL SUMMARY OF CIA CUMSTANCES. GIVE A OETSILED HISTORY OF FLIGHT OR CHRONOLOGICAL QROER OF FACTS ANDO 
CrRCumsTAnCcEs LEAOING TO TNE MISHAP, THE RESULTS OF INVESTIGATION WILL 6E CONTAINED IN THE *4NALY3I3 PART? 
OF TNE REPORT. ANALY 313 OF 2NO CONCLUSIONS OR AWN FROM ORAL OR WRITTEN STATEMENTS OBTAINED ONLY IN TNE 
INTEREST OF WISIHMAR PREVENTION WILL NOT BE INCLUD EO IN THIS SUMMARY. 








12. AUTMENTIC ATION 
CEAMTIFIC ATION OY (Tite) TYREO Name ANDO GRACE SIGNATURE OaTEe 





Zc 





APPENDIX D 


SAMPLE FORMAT OF SYSTEM SAFETY HAZARD ANALYSIS 


oo LEM 
SUBSYSTEM 
COMPONENT 



















Descriptive 
short title 


Description 
of the 
effects of 


Description of 
action taken to 
eliminate or 
minimize and 
control the 
hazard. All 
safety design 
requirements, 
safety proce- 
dures, proba- 
bilities of 
occurrence, 
safety devices 
used, and any 
other signifi- 
cant action 


















is classi- 
imfeshealorg! 










ee 





APPENDIX E 


SAMPLE TREND CHART 


— Spee AU ro. TREND 
Ee eee as 








ale 





PIC = pPaA 3 















a MAR ts = FF 5 = : 
ee : ae TiAr ph) LAADI NG. nasy 
AP Dor - a 
= 
of 
e 36 
A 32 } 
E i 
a 28 
' 
1 
24 
; . i | 
20 ws, | 
'} Se \ | 
Q AM A a =) = . 
} 16 _ ig 
A —- Vee 
12 \/ \ 
ey 
H 8 - 
R 
S 4 
CLABES Aas aE aie JIS eae tts ft 
poe a ee BL {LIe. | Se 
RATE enn «=©6ChLTRENQULCLUCOUCU 


Tres / WHEELS 


PECING HOWPS FUR THIS OUTPUT 


9259 10°59 11036 11633 
11667 11754 11898 13465 
19023 9725 11137.7 3088.57 
SLOPE = .3420459443.357 IMTERVEPT = 13 .660263\/07 





CORRELATIVUN COEFFICIENT = .1S9594294025 


90 % CONFIDENCE INT FOR SLOPE 2-1. 36992466635 TO 2.0540E1 55 si 
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